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[  FROM  THE  EDITOR  ] 


A  Tragic 
Reminder 

As  we  go  to  press  with  this  issue  featur¬ 
ing  building  security  on  the  cover,  I’m 
punched  in  the  gut  by  a  reminder  about 
how  important  it  is. 

And  also  a  reminder  of  its  limits. 

This  morning,  New  Haven  police  arrested 
a  suspect  in  connection  with  the  murder  of 
24-year-old  Yale  graduate  student  Annie  Le. 

The  details  of  this  case  have  emerged 
quickly  and  have  been  reported  widely  in  the 
mainstream  media.  Le  disappeared  on  Sep¬ 
tember  8,  last  seen  entering  the  university’s 
medical  building.  Her  body  was  found  on  Sep¬ 
tember  13,  in  a  crawl  space  in  the  basement 
area.  The  coroner  determined  that  she  had 
been  strangled. 

The  building  in  question  is  reportedly  one 
of  the  most  secure  on  the  Yale  campus.  Swipe 
cards  guard  (and  record)  access  into  various 
parts  of  the  facility. 

Part  of  the  forensics  obviously  involved 
a  review  of  access  card  logs.  “The  pattern  of 
movements  captured  by  the  computer  records 
are  the  reason  authorities  focused  almost 
immediately  on  Clark,”  a  source  told  the 
Hartford  Courant.  These  logs  indicated  that 
lab  technician  Raymond  Clark  was  in  the  same 
room  with  Le  shortly  after  10  a.m.  on  the  day 
of  her  disappearance.  Her  swipe  card  was  not 
used  again  after  she  entered  that  room.  Clark’s 
card  was  subsequently  used  for  entrance  into 
the  basement  area  where  Le’s  body  was  later 
discovered. 

Such  a  tragic  event  necessarily  brings 
about  a  review  of  procedures  and  safeguards. 
Could  Le’s  death  have  been  prevented?  This 
wasn’t  a  failure  of  the  access  control  system, 
it  was  better  characterized  as  a  workplace 
violence  incident. 


Would  additional  surveillance  cameras 
have  had  a  deterrent  effect?  Perhaps,  but  one 
would  have  hoped  the  access  control  records 
would  have  already  done  so. 

What  about  better  background  checks? 

The  police  investigation  uncovered  an  ex-girl¬ 
friend  of  Clark  who  alleged  that  he  forced  her 
to  have  sex  on  one  occasion,  but  there  is  no 
immediate  evidence  present  to  determine  that 
the  incident  resulted  in  charges  that  would 
have  appeared  on  a  record  somewhere. 

What  about  better  security  awareness 
efforts  on  campus?  Sadly,  Annie  Le  had  written 
about  the  issue  herself,  in  an  article  titled 
“Crime  and  Safety  in  New  Haven’’  published  by 
the  medical  school’s  magazine.  She  was  not 
unaware  of  her  surroundings  or  of  safety  risks. 

Universities  have  beefed  up  security  in  the 


wake  of  the  Virginia  Tech  shootings  in  2007, 
instituting  quick  communication  and  lockdown 
procedures,  upgrading  access  control,  expand¬ 
ing  surveillance.  Annie  Le  provides  us  all  with 
another  a  tragic  reminder  to  stay  on  guard. 

And  that  no  security  measure  is  ever  perfect. 

-Derek  Slater,  dslater@cxo.com 
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[  FROM  THE  PUBLISHER  ] 


The  Struggle 
With  DLP 

Few  security  technologies  have  received  as 
much  attention  over  the  past  few  years  as 
Data  Leakage  Prevention  (DLP)  solutions 
have.  The  concept  behind  them  is  excit¬ 
ing,  offering  the  ability  to  scan  traffic  on  your 
network  and  in  your  systems,  and  assign  rules- 
based  protections  to  the  data  that  you  want 
to  protect.  Someone  e-mailing  out  a  copy  of 
customer  records  with  SSNs?  The  DLP  system 
will  block  it  or  encrypt  it  on  the  fly.  Someone 
trying  to  copy  IP  to  a  USB  drive?  Alert  manage¬ 
ment  and  block  the  action.  It  can  be  a  great  way 
to  protect  your  most  critical  information  assets, 
but  as  many  have  found,  it  is  not  an  end-all,  be- 
all  solution  to  your  data  leakage  problems. 

This  summer,  CSO  partnered  with  GTB 
Technologies  to  examine  the  experiences  and 
expectations  of  DLP  solutions.  What  we  discov¬ 
ered  is  very  consistent  with  what  I  have  been 
hearing  from  CSOs  around  North  America:  DLP 
can  be  very  good,  but  be  prepared  for  hidden 
costs  and  lots  of  management  effort,  including 
internal  staffing  demands. 

As  I  mentioned  above,  DLP  does  work,  but 
the  hidden  challenges  can  be  pretty  big  if  you 
don’t  know  what  you’re  getting  into.  Consistent 
with  what  we  have  seen  in  other  surveys  we 
have  conducted,  53  percent  of  respondents 
already  have  a  DLP  solution  in  place.  What  was 
very  interesting  to  see  was  that  nearly  half 
of  those  with  a  solution  in  place  are  planning 
to  replace  that  solution  within  the  next  12 
months.  This  speaks  to  the  frustration  I  hear 
with  many  businesses  feeling  that  they  were 
sold  a  “bill  of  goods"  that  just  wasn’t  real.  But 
my  observations  have  been  that  many  of  these 
businesses  fall  down  on  the  implementation, 
not  because  they  were  sold  vaporware. 

The  primary  reasons  businesses  adopt  DLP 
is  to  protect  company  reputation  (96  percent), 
avoid  litigation  (83  percent),  meet  regula¬ 
tory  obligations  (77  percent),  protect  IP  (66 
percent)  and  the  vast  majority  or  respondents 


are  very  confident  that  their  solution  actually 
helps  them  to  meet  these  objectives.  But 
there  appears  to  be  some  confusion  regard¬ 
ing  the  capabilities  of  DLP.  I  believe  much  of 
that  confusion  has  been  driven  by  the  “me  too” 
mentality  that  has  been  adopted  by  some  ven¬ 
dors  who  claim  they  offer  DLP  solutions  when, 
in  fact,  their  solutions  only  address  individual 
silos  of  a  true  DLP  solution. 

Cost  and  management  are  also  a  large 
issue.  When  you  add  implementation  and 
monthly  management  costs,  businesses  are 
spending,  on  average,  $240  per  user  over 
a  two-year  period  for  their  DLP  solution. 
One-third  of  respondents  found  that  the 
solution  cost  was  higher  than  expected  and 
one-quarter  pay  more  than  they  planned  for 
internal  management,  as  they  have  to  refine 


the  solution  to  eliminate  false  positives  and 
increase  effectiveness. 

At  the  end  of  the  day,  does  it  work?  Yes. 

But  the  message  here  is  that  you  need  to  plan 
accordingly  going  into  the  project  so  that  it 
doesn’t  become  a  budget  buster  in  terms  of 
both  hard  dollars  and  internal  resources.  If 
you’d  like  more  information  on  this  survey, 
send  me  an  e-mail  at  bbragdon@cxo.com. 

Best  regards, 

-Bob  Bragdon,  bbragdon@cxo.com 
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BLOG  POST 

How  Should  Auditors 
Deal  With  Oddities? 


an  auditor  be  demonstrating  additional  value  and  good  faith  by 
calling  out  other  possible  issues  outside  their  official  report?  Yes. 
However,  it  would  be  unfair  to  expect  them  to  volunteer  informa¬ 
tion  that  is  beyond  their  defined  scope.  There  is  more  than  enough 
pressure  as  it  is  to  get  that  right.  -Forrester  Research 


I  previously  commented  on  the  changing  role  of  the  risk  man¬ 
agement  professional  and  thought  it  would  be  worthwhile 
to  spend  a  few  moments  discussing  the  auditor  as  well.  In  a 
contest  of  which  job  is  likely  to  see  more  change  in  the  next 
two  years,  I  would  expect  a  photo  finish. 

Over  on  the  Institute  of  Internal  Auditors  (IIA)  site,  Norman 
Marks  started  an  interesting  discussion  about  continued  fallout 
from  the  Heartland  data  breach.  In  a  Q&A  interview  with  CSOon- 
line,  an  understandably  defensive  CEO  Robert  Carr  states  that 
the  company’s  Qualified  Security  Assessors  (PCI  auditors)  were 
worthless  and  gave  them  false  reports  for  the  previous  six  years, 
suggesting  that  their  security  systems  were  just  fine.  I  don’t  think 
we  need  to  dwell  on  the  concept  that  compliance  with  security  stan¬ 
dards  does  not  equal  total  security,  however  this  does  bring  up  a 
more  interesting  debate  about  the  role  of  the  auditors. 

As  expectations  for  greater  corporate  accountability  and  dis¬ 
closure  continue  to  mount  (some  would  say  more  slowly  than 
expected)  audit  reports  are  going  to  be  set  under  the  most  finely 
tuned  of  microscopes  to  be  examined  for  accuracy  and  thorough¬ 
ness.  Two  of  the  most  important 
questions  auditors  will  have  to 
answer  will  be: 

What  is  the  scope  of  the  audit? 

This  must  include  what  is  evalu¬ 
ated  and  what  is  not  as  well  as  what 
justification  exists  for  including  or 
excluding  specific  elements. 

What  are  the  auditors  assessing 
specifically?  This  must  spell  out 
very  clearly  the  purpose  for  the  audit 
(e.g.:  We  are  evaluating  whether  or 
not  these  systems  are  compliant 
with  PCI.  No  other  opinions  should 
be  inferred  from  this  report). 

If  this  information  is  not  clear, 
both  sides  are  left  exposed.  Would 


BLOG  POST 

Learning  from  the 
Attack  on  the  Apache 
Software  Foundation 

The  compromise  of  the  attacker  on  the  Apache  Software 
Foundation’s  (ASF)  servers  should  be  used  as  a  train¬ 
ing  vehicle  for  all  security  and  server  teams.  The  rea¬ 
son  it’s  important  is  not  that  ASF  was  compromised. 
Rather  it’s  because  ASF  was  open  about  what  hap¬ 
pened  and  what  they  intend  to  do  about  it. 

The  attack  process  was  described  in  detail  in  a  recent  article  on 
The  Register. 

Attackers  used  a  known  vulnerability  to  hack  the  initial  server, 
which  didn’t  even  belong  to  ASF.  It  was  owned  by  ApacheCon,  a 
conference  production  company.  Should  the  Red  Hat  patch  have 
been  applied?  Maybe.  However,  it  isn’t 
unusual  for  an  organization  to  fully  test  a 
patch  before  deploying  it.  A  30-day  window 
is  not  uncommon.  So  I  don’t  believe  negli¬ 
gence  is  to  blame. 

The  takeaway  from  this  is  more  about 
the  24/7  vulnerability  of  all  networks  and 
the  questions  we  must  ask  whenever  we 
deploy  technology.  We  simply  have  to 
assume  someone  will  find  a  way  to  take 
control  of  one  of  our  servers,  using  it  as 
a  platform  from  which  to  take  control  of 
some  or  all  of  the  rest  of  our  systems. 

The  real  issue  in  this  breach  was  the 
way  in  which  SSH  keys  were  managed,  as 
written  about  in  ASF’s  postmortem. 

■  The  use  of  SSH  keys  facilitated 
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this  attack.  In  hindsight,  our  implementation  left  a  lot  to  be 
desired— we  did  not  restrict  SSH  keys  appropriately,  and  we 
were  unaware  of  their  misuse. 

■  The  rsync  setup,  which  uses  people.apache.org  to  manage  the 
deployment  of  our  websites,  enabled  the  attackers  to  get  their 
files  onto  the  U.S.  mirror,  undetected. 

■  The  ability  to  run  CGI  scripts  in  any  virtual  host,  when  most 
of  our  websites  do  not  need  this  functionality,  made  us  unnec¬ 
essarily  vulnerable  to  an  attack  of  this  nature. 

■  The  lack  of  logs  from  the  ApacheCon  host  prevents  us  from 
conclusively  determining  the  full  course  of  action  taken  by  the 
attacker.  All  but  one  log  file  was  deleted  by  the  attacker,  and 
logs  were  not  kept  off  the  machine. 

ASF  is  correcting  these  gaps.  But  the  lesson  for  all  of  us  is  to 
keep  an  eye  on  how  our  teams  configure  each  system  or  service, 
whether  with  Linux  or  some  other  environment.  Managers  ask¬ 
ing  the  right  questions,  even  when  everyone  claims  the  network  is 
secure,  is  the  first  step.  Regular  vulnerability  scans  and  penetra¬ 
tion  tests  by  disinterested  parties  is  the  next. 

Would  the  attack  have  been  successful  if  none  of  these  conditions 
had  been  present?  Maybe.  But  it  would  have  taken  another  form  and 
potentially  presented  a  level  of  difficulty  too  high  to  bother. 

Finally,  I  want  to  thank  Apache  for  its  openness  and  willing¬ 
ness  to  share  what  happened  with  the  rest  of  us .  -Tom  Olzak 
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for  distribution  to  your  employees — saving  you  precious  time  on 
employee  education!  The  compelling  content  combines  personal 
and  organization  safety  tips  so  is  applicable  to  many  facets 
of  employees'  lives.  And  the  easy  to  read  design  has  multiple 
entry  points  so  you  are  assured  that  your  intended  audience  of 
employees — your  organization's  most  valuable  assets — will  read 
and  retain  the  information. 
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Edited  by  Bill  Brenner 


7  Reasons 
Websites  Are 
No  Longer  Safe 

Conventional  wisdom  is  that  Web  wander¬ 
ers  are  safe  as  long  as  they  avoid  sites  that 
serve  up  pornography,  stock  tips,  games 
and  the  like.  But  according  to  recently 
gathered  research  from  Boston-based  IT  secu¬ 
rity  and  control  firm  Sophos,  sites  we  take  for 
granted  are  not  as  secure  as  they  appear. 

Among  the  findings  in  the  Sophos  threat 
report  for  the  first  six  months  of  this  year, 
23,500  new  infected  webpages-one  every  3.6 
seconds-were  detected  each  day  during  that 
period.  That’s  four  times  worse  than  the  same 
period  last  year,  says  Richard  Wang,  who  man¬ 
ages  the  Boston  lab.  Many  of  these  infections 
were  found  on  legitimate  websites. 

In  a  recent  interview  with  CSO,  Wang  out¬ 
lined  seven  primary  reasons  legitimate  sites 
are  becoming  more  dangerous. 

Polluted  ads.  Many  legitimate  sites  rely 
on  paid  advertisements  to  pay  the  bills.  But 
Wang  says  recent  infection  statistics  gathered 
by  his  lab  show  that  they  are  often  hiding 
malware,  without  the  knowledge  of  the 
website  owner  or  the  user. 

“A  lot  of  sites  supported 
by  advertisers,  rather  than 
contracting  directly  with  the 
advertiser,  work  through  ad 
agencies  and  network  affiliates,” 

Wang  says.  “Some  of  these  affili¬ 
ates  are  less  than  diligent  in  reviewing  content 
for  flaws  and  infections." 

Ads  that  incorporate  Flash  animation  and 
other  rich  media  are  often  rife  with  security 
holes  that  attackers  can  exploit.  When  the  user 


clicks  on  the  ad,  the  browser  can  be  (and  often 
is)  redirected  to  sites  that  download  malware 
in  the  background  while  the  user  is  reading  the 
legitimate  site.  Someone  in  the  ad-providing 
supply  chain  can  be  the  culprit,  though  tracing 
a  compromise  back  to  them  can  be  exceed¬ 
ingly  difficult,  Wang  says. 

Whatever  the  case  may  be,  a  downloaded 
Trojan  is  then  free  to  gather  user  names,  pass¬ 
words  and  other  sensitive  banking  data. 

SQL  injection  attacks.  SQL  injection 
attacks  are  among  the  most  popular  tactics 
and  have  been  used  in  several  high-pro¬ 
file  incidents  in  the  last  couple 
of  years. 

SQL  injection  is  a  tech¬ 
nique  that  exploits  a  flaw  in  the 
coding  of  a  Web  application  or 
page  that  uses  input  forms.  A 
hacker  might,  for  example,  input 
SQL  code  into  a  field  that  is  intended  to  collect 
e-mail  addresses.  If  the  application  doesn’t 
include  a  security  requirement  to  validate 
that  the  input  is  of  the  correct  form,  the  server 
may  execute  the  SQL  command,  allowing  the 


hacker  to  gain  control 
of  the  server. 

“The  hacker  essen¬ 
tially  takes  advantage 
of  flaws  related  to 
shoddy  site  develop¬ 
ment,”  Wang  says. 

User-provided 
content,  it  doesn’t 
take  a  genius  to  write  a 
comment  to  a  blog  post 
or  something  they  see 
on  a  social  network¬ 
ing  site  like  Facebook 
or  Twitter.  The  bad 
guys  know  this  and 
are  therefore  taking 
the  opportunity  to  pollute  discussion  threads 
and  other  sources  of  user-supplied  content 
with  spam-laden  links.  “You  can  get  com¬ 
ment  spam-completely  irrelevant  comments 
including  links  to  sites  trying  to  sell  you  stuff,” 
Wang  says.  “They  can  also  try  posting  full  links 
to  malicious  sites  or  work  in  a  little  scripting, 
depending  on  the  filter  they  are  trying  to 
work  around.” 

Stolen  site  credentials.  Using  the  types 
of  malware  and  social  networking  tactics 
described  above,  as  well  as  other  means, 
attackers  can  steal  the  content  provider’s  log¬ 
in  credentials.  From  there  it’s  no  sweat  logging 
into  the  site  and  making  changes.  It  typically 
is  a  change  so  subtle  and  small  that  it  escapes 
notice.  The  tiny  bits  of  code  added  in  can  then 
steal  the  site  visitor’s  credit  card  information 
or  other  data. 

Compromised  hosting  service.  This 
one  is  similar  to  number  four,  where  the 
credentials  of  the  content  provider  are  stolen 
and  hackers  log  in  to  make  sinister  changes. 
Through  this  vector,  Wang  says,  the  bad  guys 
( continued  on  next  page) 
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( continued  from  previous  page) 
could  potentially  poison  thou¬ 
sands  of  sites  that  the  provider  is 
hosting  in  one  strike. 

Local  malware.  The  website 
may  be  perfectly  safe,  but  if 
there’s  malware  hidden  on  your 
own  machine,  you  can  unknow¬ 
ingly  become  part  of  the  attack, 
Wang  says.  For  example,  the  user 
can  visit  their  online  banking  site, 
and  when  typing  in  a  user  name 
and  password,  the  Trojan  records 
that  information  and  passes  it 
back  to  the  attacker,  allowing 
him  to  go  in  later  and  empty  your 
account  or  that  of  others. 

Hacker-engineered  fakes. 
There’s  also  the  problem  of 
hackers  trying  to  sell  you  fake 
merchandise  such  as  phony  secu¬ 
rity  software.  If  a  box  appears 
warning  that  your  machine  may 
have  been  infected  and  that  you 
must  immediately  download  a 
particular  security  tool  to  remove 
it-a  common  occurrence  if  you 
have  visited  a  site  that  surrepti¬ 
tiously  downloads  malware  onto 
your  computer-it’s  a  sure  sign  of 
trouble. 

“You  spend  your  $39.95  and 
you  get  a  worthless  piece  of 
software,  and  at  the  same  time 
you  have  given  them  your  credit 
card  data,"  Wang  says. 

What  is  one  to  do  if  their 
website  relies  on  ads  and  open 
access?  Wang  suggests  that 
IT  security  administrators  use 
security  scanners  for  anything 
coming  in  by  way  of  third-party 
hosts  and,  for  in-house  apps 
and  other  online  property,  that 
developers  redouble  efforts  to 
write  more  ironclad  code. 

For  those  who  heavily  rely  on 
third-party  forums,  a  wise  prac¬ 
tice  is  to  take  a  daily  scan  of  vul¬ 
nerability  reports  that  may  affect 
those  providers  and  to  keep  up  to 
date  on  security  patches  that  will 
harden  your  own  environment 
against  these  threats,  he  adds. 

-Bill  Brenner 


DISASTER  RECOVERY 
IN  A  TORNADO  ZONE 

Cancer  Treatment  Centers  of  America,  in  the  heart  of  tornado 
country,  showcases  a  sturdy  BC/DR  plan  for  dealing  with  disaster 


Cancer  Treatment  Centers  of  America 
literally  has  lives  on  the  line  if  something 
goes  wrong  with  their  business  continuity 
plans.  That’s  why  Chad  Eckes,  chief  infor¬ 
mation  officer  of  the  Schaumburg,  Illinois- 
headquartered  organization,  believes  there  is 
no  room  for  complacency. 

With  hospitals  in  Arizona,  Illinois,  Okla¬ 
homa  and  Pennsylvania,  the  mission  of  Cancer 
Treatment  Centers  of  America  is  to  offer 
healing  and  hope  to  complex  cancer  patients. 
CTCA’s  primary  operations  in  Schaumburg 
are  in  tornado  country,  which  means  keeping 
an  eye  on  the  weather  and  having  a  business 
continuity  plan  that  is  resilient  in  the  event  of 
a  damaging  storm. 

A  few  years  ago,  Eckes  and  CTCA  decided 
data  centralization  was  the  best  option  so 
that  the  same  information  was  available  to  all 


employees,  regardless  of  the  facility  they  are 
working  in.  From  a  BC/DR  standpoint,  Eckes 
says  a  centralized  data  center  with  a  backup 
facility  was  better  in  order  to  avoid  down  time 
in  the  event  of  an  emergency. 

“We  have  migrated  to  all  digital.  There  is  no 
paper  backup.  We  have  our  bedside  monitors 
directly  connected  into  our  electronic  health 
records.  Our  phone  is  all  VoIP.  Paging  is  inte¬ 
grated  into  the  phone  system.  If  any  of  these 
core  systems  go  down,  it  could  be  a  patient’s 
life.  You  can’t  call  a  code  blue  if  your  phone 
system  is  down.  It’s  that  critical  that  everyone 


takes  this  that  seriously.” 

With  tornado  patterns  in  mind,  CTCA  built 
their  two  data  centers  in  greater  Chicagoland 
so  that  they  sit  59  miles  apart  and  in  a  pattern 
in  which  the  likelihood  of  tornado  hitting  both 
of  them  is  nearly  impossible,  says  Eckes.  The 
locations  were  chosen  based  on  informa¬ 
tion  CTCA  got  from  the  Federal  Emergency 
Management  Agency  about  weather  patterns. 
The  decision  was  based  on  historical  events 
and  what  the  likelihood  would  be  of  natural 
disaster  hitting  both  facilities.  Eckes  said  CTCA 
made  sure  the  facilities,  which  have  identical 
data,  were  sitting  in  a  north-south  arrange¬ 
ment  and  more  than  30  miles  apart  to  ensure 
one  facility  would  always  be  operating. 

“The  first  main  design  from  a  BCP  stand¬ 
point  was  to  have  complete  redundancy  in  our 
data.  Anytime  there  is  any  production  data 
written  to  the  primary  it  is 
immediately  mirrored  over 
to  our  DR  data  center,”  says 
Eckes.  “Literally,  we  are  up 
to  date  in  our  second  center 
within  15  seconds.  That  is, 
with  a  complete  copy  of  all 
clinical  systems.” 

Structurally,  consider¬ 
ations  were  also  made  due 
to  the  possibility  of  torna¬ 
does  hitting  the  data  centers. 
A  tornado  does  most  of  its 
damage  with  extremely  high 
winds-they  can  generate 
violent  wind  speeds  in  excess  of  250  miles 
per  hour.  So  CTCA  built  their  recovery  center 
in  an  old  bank  vault  with  the  specific  risk  of  a 
tornado  in  mind.  The  vault  is  in  a  brick  build¬ 
ing  with  a  data  center  that  is  surrounded  by  a 
perimeter  of  18  inches  of  poured  concrete  that 
is  reinforced  with  rebar. 

“The  likelihood  of  a  tornado  being  able  to 
hit,  even  at  F4  level,  is  near  impossible,”  says 
Eckes.  “This  is  about  as  much  protection  as  we 
are  going  to  get  without  having  an  under¬ 
ground  bunker.” 

-Joan  Goodchild 


12  www.csoonline.com  October  2009 


Photo  By  David  H.  Lipp 


Security 

Wisdom 

Watch 

Vendor  security 
performance  edition 


THUMBS  BOTH  WAYS: 
Microsoft.  The  software 
giant  is  having  a  hard 
time  keeping  up  with 
its  security  holes  lately, 
despite  some  of  the 
heaviest  Patch  Tuesday 
lifting  seen  in  a  long  time.  Minutes 
after  the  September  2009  Security 
Update  landed,  security  experts 
were  sounding  the  alarm  over  what 
didn’t  get  patched.  In  the  company’s 
defense,  just  about  every  IT  vendor 
out  there  appears  to  be  in  a  losing 
race  against  time. 

THUMBS  UP:  Mozilla.The 

latest  version  of  Firefox  not 
only  closes  some  of  its  own 
security  flaws,  but  it  now 
checks  for  outdated  versions 
of  Flash  Player-a  frequent  attack 
target-as  well  as  other  flawed  and 
outdated  plug-ins  from  vendors  like 
Apple,  Adobe,  Microsoft  and  Sun. 
What’s  not  to  like? 


THUMBS  DOWN:  The  average 
website.  A  Sophos  threat 
report  for  the  first  six 
months  of  this  year  revealed 
23,500  new,  infected  web- 
pages-one  every  3.6  seconds-that  is 
detected  each  day  during  that  period. 
That’s  four  times  worse  than  the  same 
period  last  year. 

THUMBS  DOWN:  Google.  The 

mother  of  all  cloud  service 
providers  has  suffered  a  cou¬ 
ple  of  large  outages  that  left 
many  small  business  users  dead 
in  the  water.  They  weren’t  attacks, 
but  they  showed  the  bad  guys  what 
they  can  do  if  they  put  their  minds 
to  it.  -B.B. 


Verbatim... 


“The 

company  environment 
may  be  tremendously  complex, 
with  hundreds  of  locations  throughout 
the  country  or  the  world,  and  any  one 
place  can  have  weaknesses.  If  you  have 
multiple  lines  of  business  and  you  don’t  tell 
the  QSA  [qualified  security  assessor]  about 
all  of  them,  the  QSA  isn’t  going  to  know  to 
look  in  those  areas,  and  something  is  going 
to  be  missed.  That’s  not  the  QSA’s  fault.” 

-Ed  Moyle,  founding  partner  at  Security  Curve 
and  former  vice  president  of  information 
security  at  Merrill  Lynch 


“The 

audits  done  by 
our  QSAs  were  of  no 
value  whatsoever.  The 
extent  to  which  they 
were  telling  us  we  were 
secure  beforehand-that 
we  were  PCI  compliant- 
was  a  major  problem.” 

-Heartland  Payment  Systems 
CEO  Robert  Carr  on  how  QSAs 
failed  to  detect  security  holes 
that  ultimately  led  to  a 
massive  data  breach 


lot  of  sites 
supported  by 
advertisers,  rather 
than  contracting 
directly  with  the 
advertiser,  work  through 
ad  agencies  and  network 
affiliates.  Some  of  these 
affiliates  are  less  than 
diligent  in  reviewing 
content  for  flaws 
and  infections.” 

-Sophos  Labs  Manager 
Richard  Wang 


“I  want 

everybody  here  to  be  careful  about 
what  you  post  on  Facebook  because  in  the 
YouTube  age,  whatever  you  do,  it  will  be  pulled  up 
again  later  somewhere  in  your  life.  And  when  you’re 
young,  you  make  mistakes  and  you  do  some  stupid  stuff.” 

-President  Barack  Obama  to  a  group  of  school  kids  on 
the  privacy  pitfalls  of  social  networking 
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Heartland  CEO 
on  Data  Breach: 
QSAs  Let  Us  Down 

Heartland  Payment  Systems  CEO  Robert  Carr  opens 
up  about  his  company’s  data  security  breach,  how 
compliance  auditors  failed  to  flag  key  attack  vectors 
and  what  the  big  lessons  are  for  other  companies 


For  Heartland  Payment  Systems  CEO 
Robert  Carr,  the  year  did  not  start  off 
well,  to  say  the  least. 

In  January,  the  Princeton,  N.J.- 
based  provider  of  credit  and  debit  process¬ 
ing,  payment  and  check-management 
services  was  forced  to  acknowledge  it 
had  been  the  target  of  a  data  breach-in 
hindsight,  possibly  the  largest  to  date  with 
100  million  credit  and  debit  cards  exposed 
to  fraud. 

In  the  following  Q&A,  Carr  opens  up 
about  his  company’s  data  security  breach. 
He  explains  how,  in  his  opinion,  PCI  compli¬ 
ance  auditors  failed  the  company,  how 
informing  customers  of  the  breach  before 
the  media  had  a  chance  was  the  best 
response  and  how  other  companies  can 
avoid  the  pain  Heartland  has  experienced. 

Take  us  back  to  the  moment  you 
were  told  a  breach  may  have  happened. 
What  was  your  first  thought?  It  was  a 
Monday  night  in  January,  just  after  dinner, 


when  I  was  told  data  files  were  found 
on  our  servers  that  were  not  created 
by  Heartland.  That  was  a  clear  sign  of 
trouble.  It  was  a  sleepless  night.  The 
question  people  always  ask  is  what  keeps 
me  awake  at  night.  Well,  this  is  it. 

What  have  you  learned  in  recent 
months  about  how  exactly  the 
burglars  were  able  to  get  in?  What 
have  investigators  flagged  in  terms 
of  the  big  security  holes  that  were 
exploited?  The  audits  done  by  our  QSAs 
(qualified  security  assessors)  were  of  no 
value  whatsoever.  The  extent  to  which  they 
were  telling  us  we  were  secure  beforehand- 
that  we  were  PCI  compliant-was  a  major 
problem.  The  QSAs  in  our  shop  didn’t  even 
know  this  was  a  common  attack  vector 
being  used  against  other  companies.  We 
learned  that  300  other  companies  had  been 
attacked  by  the  same  malware.  I  thought, 
‘You’ve  got  to  be  kidding  me.’  That  people 
would  know  the  exact  attack  vector  and 
not  tell  major  players  in  the 
industry  is  unthinkable  to  me.  I 
still  can’t  reconcile  that. 

How  did  the  QSAs  respond 
when  you  expressed  this 
view?  In  the  post-Enron 
environment,  the  auditors 


u 


REBUTTING  HEARTLAND’S  CEO 

One  Man’s  View: 
Heartland  CEO 
Must  Accept 
Responsibility 

Security  Incited  Mike  Rothman 
read  our  interview  with 
Heartland’s  CEO  and  didn't 
like  it  one  bit.  Here’s  why, 

just  read  Bill  Brenner’s  interview  with 
Heartland  Payment  Systems'  CEO  Bob  Carr 
[see story,  left]  and  truthfully,  my  blood 
is  boiling. 

Basically,  he’s  throwing  his  QSA  under 
the  bus  for  the  massive  data  breach  that 
happened  under  his  watch.  Basically, 
because  the  QSA  didn’t  find  anything,  he 
should  be  off  the  hook. 


have  contracts  with  clients  that  essentially 
absolve  them  of  gross  negligence.  The  false 
reports  we  got  for  six  years,  we  have  no 
recourse.  No  grounds  for  litigation.  That 
was  a  stunning  thingto  learn.  In  fairness  to 
QSAs,  their  job  is  very  difficult,  but  up  until 
this  point,  we  certainly  didn’t  understand 
the  limitations  of  PCI  and  the  entire  assess¬ 
ment  process.  PCI  compliance  doesn’t  mean 
secure.  We  and  others  were  declared  PCI 
compliant  shortly  before  the  intrusions. 

How  much  money  has  Heartland  had 
to  spend  to  address  the  security  holes 
and  other  things  like  lawsuits?  In  the  first 
half  of  2009,  we  laid  out  $32  million  and  we 
don’t  know  what  will  happen  going  forward. 
We  are  aggressively  defending  against 
litigation.  That’s  all  I  can  say.  -B.B. 


The  audits  done  by  our  QSAs  were 

of  no  value  whatsoever. 

The  extent  to  which  they  were 
telling  us  we  were  secure 
beforehand-that  we  were  PCI 
compliant-was  a  major  problem.” 


-J  -ROBERT  CARR,  CEO,  HEARTLAND  PAYMENT  SYSTEMS 
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I  say  that’s  a  load  of  crap.  It’s  about  time 
organizations  suffering  from  a  data  breach 
owned  up  to  the  fact  that  they  made  a  mis¬ 
take.  You  see,  the  fine  folks  at  Johnson  and 
Johnson  didn’t  throw  the  pharmacy  under 
the  bus  when  Tylenol  got  poisoned  in  1982, 
did  they?  No!  They  accepted  responsibility 
(even  though  it  wasn't  their  fault)  and  re¬ 
established  trust  with  their  customers. 

This  kind  of  response  from  Mr.  Carr 
basically  proves  that  the  organization  has 
learned  nothing  from  the  data  breach,  which 
means  inevitably  it  will  happen  again. 

To  be  clear,  you  cannot  outsource  think¬ 
ing.  You  cannot  outsource  security.  An  audi¬ 
tor  or  assessor  is  only  there  to  substantiate 
the  technical  controls  implemented  to  meet 
a  regulation.  They  are  not  there  to  tell  an 
organization  whether  they  are  secure  or  not. 
They  are  not  there  to  provide  an  itemized  list 
of  every  possible  attack  vector  that  could 
compromise  data. 

That,  my  friends,  is  the  responsibility  of 
the  internal  security  team.  That’s  what  they 


“You  have  to  hand  it  to 
Mr.  Carr.  He  is  proving 
to  be  a  master  at 

misdirection.” 

-MIKE  ROTHMAN, 

SECURITY  INCITE 

do,  and  that’s  what  they  get  paid  for.  And  in 
Heartland’s  case,  that’s  what  they  clearly 
failed  to  execute.  His  security  team  should 
have  known  about  the  malware  used  on  “300 
other  companies.”  Why  is  it  the  auditors 
responsibility  to  inform  him  of  that?  The 
auditors  are  there  to  determine  whether 
they  have  met  the  spirit  of  the  regulation. 

He  makes  the  statement  that  “PCI 
compliance  doesn’t  mean  secure."  Uh,  is 
that  news  to  him?  If  so,  then  he’s  more  out 
of  touch  than  I  had  feared.  Anyone  in  this 
business  knows  that  any  regulation  is  on  the 
beginning  of  a  comprehensive  security  pro¬ 
gram,  and  PCI  is  no  exception.  And  moreover, 


even  if  you  are  compliant,  you  are  not  done. 
When  it  comes  to  security,  you  are  never 
done.  Not  as  long  as  there  are  bad  guys  (and 
gals)  trying  to  compromise  your  systems. 

But  you  have  to  hand  it  to  Mr.  Carr.  He  is 
proving  to  be  a  master  at  misdirection.  First 
it  was  the  fairly  ridiculous  push  for  end  to 
end  encryption.  As  if  that  would  have  solved 
the  problem  at  a  reasonable  cost.  Now  he’s 
trying  to  point  the  finger  at  the  auditors.  I’m 
sure  when  this  goes  over  like  a  lead  balloon, 
he’ll  be  looking  for  some  other  scapegoat. 
Next  time,  he’ll  be  more  than  happy  to  throw 
Vontu  and  Voltage  under  the  bus,  since  he 
mentions  them  specifically  as  the  “answer” 
to  ensure  this  doesn’t  happen  again. 

Sorry,  I  don’t  buy  it.  Widgets  do  not  equal 
security.  Blaming  others  does  not  make  you 
secure  either.  I  suggest  you  look  in  the  mirror 
Mr.  Carr.  That’s  where  you’ll  see  where  the 
blame  ultimately  lies.  Any  attempts  to  blame 
others  are  hollow  and  disingenuous. 

-Mike  Rothman,  SVP  Strategy  elQnetworks 
and  Chief  Blogger,  Security  Incite 
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BY  THE  NUMBERS 

23,500 

Number  of  infected 
websites  detected 
per  day  by  security 
vendor Sophos 
in  the  first  six 
months  of  2009 

One 

every  3.6 
seconds 

How  often  the 
polluted  sites 
appeared  on 
Sophos'  radar 

10 

Number  of  security 
flaws  Mozilla  had 
to  fix  in  its  update 
of  Firefox  3.5 

5 

Number  of  critical 
security  updates 
Microsoft  issued 
in  September 

19 

Total  number  of 
security  holes 
Microsoft  patched 
in  August 

9 

Total  number 
of  security 
holes  Microsoft 
patched  in  July 


DIGITAL  ID  WORLD  2009 

Social  Networking  a  Tool 
for  More  Secure  Identity 
Management?  No  Joke! 

A  Facebook  platform  engineer  says  social  networking  sites  can  be 
used  to  actually  improve  identity  and  access  management.  Why  wasn’t 
he  laughed  off  stage  by  the  skeptical  security  crowd  before  him? 


Among  battle-hardened  IT  security  practitioners,  social  networking  is  often  seen  as  either  a 
security  joke  or  a  bona  fide  security  threat. 

But  when  Facebook  Platform  Engineer  Luke  Shepard  suggested  social  networking 
could  be  a  force  for  stronger  identity  and  access  management  (AIM)  at  CSO  magazine’s 
Digital  ID  World  conference  last  month,  nobody  was  laughing. 

Maybe  that’s  because  many  security  practitioners  are  addicted  to  Twitter,  Linkedln  and 
Facebook,  despite  the  risks  they  often  warn  about.  Or,  it’s  because  the  speaker  before  Shepard- 
IDC  Research  Director  Charles  Kolodgy-suggested  that  social  networking  and  1AM  might  just  be 
compatible  after  all. 

Shepard  pointed  out  that  the  basic  Facebook  setup  allows  for  trust  enhancement.  For 
example,  when  the  user  receives  a  friend  request  from  someone  they  may  deem  a  stranger,  the 
user  is  able  to  see  who  among  their  friends  is  also  connected  with  the  stranger.  The  more  com¬ 
mon  connections,  the  less  of  a  stranger  that  person  becomes.  Linkedln  works  in  a  similar  fashion, 

he  acknowledged. 

“This  is  at  the  core  of  how  identities  are 
established  on  Facebook,”  he  said.  “Add¬ 
ing  to  the  level  of  trust  is  that  25  percent  of 
users  share  their  cell  phone  numbers.  With 
sites  like  Facebook  and  Linkedln,  you  have 
what  we  call  real-world  identity.” 

Fie  noted  that  Facebook  profiles  are 
being  used  in  ways  beyond  their  original 
intent,  much  the  same  as  how  the  value  of  a 
driver’s  license  has  evolved  well  beyond  its 
original  purpose  overtime. 

“Drivers’  licenses  used  to  be  about  being 
able  to  drive  a  car,  but  it  has  since  become 
required  by  retailers,  government  agencies 
and  others  as  a  way  for  someone  to  confirm 
their  identity,”  Shepard  said. 

One  key  for  making  social  networking 
a  potent  force  in  1AM  is  in  the  various  social 
networking  sites  coming  together  to  hammer 
some  form  of  standardization,  he  said. 

Fie  noted  that  Facebook  Connect-a  tool  that  allows  people  to  use  their  Face- 
book  account  to  log  in  to  a  growing  pile  of  outside  websites  and  services-has  been  increasingly 
embraced  by  the  likes  of  Netflix,  USA  Today,  Digg,  YouTube  and  Salesforce.com  as  a  way  to  verify 
identities  and  allow  those  identities  to  share  content  with  other  trusted  entities. 

Kolodgy  suggested  that  the  myriad  1AM  tools  out  there  now  could  eventually  be  harnessed 
and  fused  with  social  networking  in  ways  that  would  benefit  everyone. 

“The  key  is  that  we  need  to  create  a  larger  trust  environment,  but  there  are  ways  to  potentially 
get  there,”  he  said,  using  federated  identity  management  as  an  example.  If  sites  like  Facebook, 
Twitter  and  Linkedln  made  use  of  a  federated  ID  credential  for  additional  trust,  he  said,  “we  could 
have  something.”  -B.B. 
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By  Mary  Braudel 


Full  Disk  Encryption 

“Just  encrypt  it!”  seems  like  a  simple  way  to  protect  data,  especially  on 
laptops.  It  does  protect  data— but  it’s  not  necessarily  so  simple. 


Full  disk  encryption  (FDE)  sys¬ 
tems  use  strong  encryption 
algorithms  to  automatically 
protect  all  data  stored  on  the 
hard  drives  of  PCs  and  laptop 
computers.  Users  can  access  the  data  via 
an  authentication  device,  such  as  a  pass¬ 
word,  token  or  smart  card.  This  enables 
the  system  to  retrieve  the  key  that  decrypts 
the  disk.  On  many  systems,  functions 
such  as  key  management,  access  control, 
lock-outs,  reporting  and  recovery  are  all 
managed  centrally. 

According  to  John  Girard,  an  analyst 
at  Gartner,  the  main  differences  among 
available  products  derive  from  their  vary¬ 
ing  approaches  to  management,  encryp¬ 
tion  strength,  user  authentication,  policy 
management  and  value-added  features, 
such  as  protection  of  information  on 
removable  media. 

Prime  Considerations 

Full  disk  encryption  versus  file  or  folder 
encryption  system.  With  FDE,  data  is 
encrypted  automatically  when  it’s  stored 
on  the  hard  disk.  This  is  different  from  file 
or  folder  encryption  systems,  where  it’s 
up  to  the  user  to  decide  which  data  needs 
encrypting.  FDE’s  biggest  advantage  is  that 
there’s  no  room  for  error  if  users  don’t  abide 
by  or  don’t  understand  encryption  policies. 

The  shortcoming  of  FDE,  Lambert 
points  out,  is  that  it  does  not  protect  data  in 
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transit,  such  as  information  shared  between 
devices,  stored  on  a  portable  hard  drive  or 
USB,  or  sent  through  e-mail.  FES,  she  says, 
is  ideal  for  this,  although  it  requires  a  lot  of 
attention  to  developing  a  policy  for  what 
gets  encrypted  and  what  doesn’t,  as  well 
as  training  users  on  the  policy.  FES  is  also 
more  compute-intensive  than  FDE,  she 
says,  leading  to  PC  performance  hits  of  15 
percent  to  20  percent,  versus  just  3  percent 
or  4  percent. 


Hardware  versus  software  encryp¬ 
tion.  According  to  Girard,  hardware -based 
encryption  promises  significant  perfor¬ 
mance  improvements  over  software-based 
technologies,  and  the  new  Trusted  Com¬ 
puting  Group  (TCG)  open  standard  offers 
a  common  management  specification  for 
hard-drive  manufacturers. 

However,  there  is  a  lack  of  real-world 
products  using  the  standard,  he  says.  Hard¬ 
ware  encryption  will  continue  to  evolve, 

Illustration  by  Maria  Rendon 


he  says,  and  future  choices  will  appear  in 
other  device  subsystems,  such  as  CPUs  or 
supporting  chip  sets. 

Today’s  self-encrypting  hard  drives— 
such  as  those  from  Seagate  Technologies— 
are  mainly  geared  toward  consumers, 
Lambert  says.  That’s  because  without 
TCG,  they  do  not  yet  perform  better  than 
software-based  encryption,  and  most  can¬ 
not  be  centrally  managed.  An  exception, 
she  says,  is  a  partnership  among  Dell,  Sea¬ 
gate  and  McAfee  to  provide  laptops  with 
encrypted  hard  drives  and  enterprise-level 
management  tools.  Wave  Systems  also 
sells  key  management  software  for  Seagate 
drives,  says  Eric  Maiwald,  an  analyst  at 
Burton  Group. 

DOs  and  DON’Ts 

DO  prep  the  machine.  According  to 
Girard,  the  biggest  mistake  people  make 
when  installing  encryption  is  failing  to 
ensure  the  machine  is  clean  and  running 
properly  beforehand.  “If  there’s  a  disk  prob¬ 
lem,”  he  says,  “parts  of  the  code  specific  to 
the  encryption  engine  will  not  be  readable.” 
He  suggests  defragmenting  the  hard  drive, 
running  Checkdisk  several  times,  backing 
up  the  data,  administering  all  patches  and 
optimizing  performance  before  encrypting. 
While  the  performance  hit  for  encryption 
is  only  l  percent  to  3  percent,  he  says,  “why 
not  make  the  machine  faster  to  minimize 
that  or  at  least  break  even?” 

At  Los  Angeles  County,  which  uses 
Pointsec,  now  from  Checkpoint  Software 
Technologies,  CISO  Robert  Pittman’s  team 
conducted  a  health  check  on  the  hard 
drives  of  the  county’s  laptops  to  see  how 
much  free  space  existed,  how  badly  it  was 
fragmented  and  the  maintenance  level  of 
the  operating  system.  His  team  identified 
about  20  out  of  the  total  12,500  laptops  that 
would  need  to  be  replaced  prior  to  encrypt¬ 
ing  them. 

Frank  Ward,  a  consultant  for  the  State 
of  Connecticut,  also  ran  drive-evaluation 
software  on  the  state’s  laptops  during  the 
pilot  phase  of  implementing  encryption 
software  from  McAfee.  About  15  percent  of 
the  hard  drives  failed,  he  says.  By  checking 
all  the  disks,  the  failure  rate  for  installing 
McAfee  on  the  state’s  5,000  machines  was 
just  3  percent. 

DON'T  jump  in  too  quickly.  It’s  also 
essential  to  have  a  clear  road  map  for  deploy- 


Characteristics 
of  an  Effective 
Encryption  Solution 

According  to  I  DC,  a  sister  company 
to  CSO’s  publisher,  an  optimal  FDE 
system  should  have  the  following 
characteristics: 

■  Centrally  managed  and  controlled 

■  Rapidly  deployed  and  maintained 

■  Policy  driven 

■  Completely  transparent  to  the  user 

>  Easily  supported  by  help 
desk  or  IT  personnel 

•  Provide  support  for  removable  media 
-  Expandable,  allowing  new 
managed  encryption  applications 
to  be  added,  as  needed 

>  Extensible,  enabling  organizations 
to  add  managed  encryption  to 
existing  enterprise  applications 

ment.  Some  organizations  use  a  centralized 
software  delivery  system.  For  instance,  Pat¬ 
terson  used  LANdesk  from  LANdesk  Soft¬ 
ware  to  do  a  mass-deployment  of  Utimaco. 
However,  he  plans  to  activate  the  software 
one  machine  at  a  time,  taking  what  he  calls 
a  “low  and  slow”  approach.  Not  only  does 
he  need  to  remove  previously  installed 
encryption  software,  but  he  also  wants  a 
manageable  way  to  deal  with  any  issues 
that  might  arise.  “I  don’t  want  to  show  up 
on  Monday  and  [see  that]  every  machine  is 
blue-screened,”  he  says.  “Utimaco  is  good 
about  recovering  from  errors,  but  there  are 
situations  where  the  drive  is  on  the  edge, 
and  spinning  it  for  three  hours  will  push  it 
over.  If  we  go  too  fast  we’ll  be  overwhelmed 
by  support  calls.” 

Most  encryption  software  allows  you 
to  push  it  out  to  users’  machines  via  a  cen¬ 
tralized  software  delivery  system,  Maiwold 
says.  For  instance,  McAfee  allows  you  to  use 
its  ePolicy  Orchestrator  for  deployment,  he 
says.  However,  this  is  not  always  possible, 
as  was  the  case  in  Connecticut.  In  the  state’s 
distributed  environment,  Ward  found  the 
centralized  deployment  mechanisms  were 
not  ubiquitous  enough.  He  still  needed  to 
work  fast,  due  to  the  State’s  strategy  for 
accelerated  deployment;  the  governor  asked 
in  January  for  all  6,000  laptops  in  the  state 
to  be  encrypted  by  the  end  of  February. 


To  do  that,  the  State  created 
five  teams  of  three  people  to  install 
McAfee  (over  a  six-week  period) 
on  the  laptops  of  55  agencies  and 
950  state  police  trooper  cars.  The 
teams  consisted  of  previously 
trained  administrators,  McA¬ 
fee  resources  and  an  IT  person. 
‘We’d  give  the  agency  a  week’s 
notice  to  get  their  machines 
logistically  together  and  then  try 
to  get  as  many  done  in  a  day  as 
we  could,”  Ward  says.  His  team 
would  set  up  in  a  conference 
room  or  other  central  location, 
connect  20  or  so  machines  to  a  file 
server  to  download  the  software 
and  then  pull  them  offline  to  fin¬ 
ish  encrypting,  which  could  take 
two  hours  for  a  100G  drive.  “It 
was  very  much  a  production  line,” 
Ward  says.  The  agency  continued 
working  on  any  that  didn’t  get 
completed,  and  they  could  bring 
any  particularly  troublesome  machines  to 
a  centralized  depot. 

DON'T  underestimate  deployment 
time.  As  Ward  found,  installation  takes 
time,  especially  for  large  drives.  A  good 
rule  of  thumb  is  that  it  takes  two  to  four 
hours  for  the  software  to  encrypt  the  drive, 
depending  on  its  size. 

Because  of  this,  it’s  important  to  choose 
a  system  that  will  be  easy  for  administra¬ 
tors  to  learn  and  for  a  vendor  or  reseller 
that  provides  customized  training.  When 
Pittman  chose  Checkpoint,  he  had  about 
100  people  trained— two  or  three  from  each 
of  L.A.’s  38  agencies— to  encrypt  12,500 
machines.  It  helped,  Pittman  says,  to  create 
a  standardized  configuration  to  be  imple¬ 
mented.  In  all,  it  took  about  nine  months, 
although  80  percent  of  the  agencies  were 
finished  in  six  months. 

DO  consider  background  installa¬ 
tion.  To  keep  deployment  as  low-impact 
as  possible,  consider  a  system  that  enables 
users  to  keep  working  during  installation, 
Girard  says.  Even  better,  make  sure  you 
don’t  need  to  restart  the  process  if  it  gets 
interrupted. 

DON'T  expect  full  user  acceptance. 

Users  can  be  wary  of  added  security,  seeing 
it  as  an  annoying  roadblock  that  hinders 
technology  performance,  Lambert  warns. 
One  way  to  head  off  potential  opposition  is 
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to  fully  communicate  the  what,  why,  how 
and  when  of  deployment  prior  to  imple¬ 
mentation  and  stress  that  performance 
will  be  affected  minimally,  no  more  than 
5  percent,  she  says. 

DO  test  on  a  pilot  group.  Pilot  test¬ 
ing  is  important  for  several  reasons,  includ¬ 
ing  ironing  out  potential  problems  and 
gauging  user  resistance  and  the  scope  of 
the  full  deployment,  Lambert  says.  “User 
enrollment  should  be  easy,  but  with  some 
products,  users  get  confused,”  Girard  says. 
“When  that  happens  en  masse,  you’ve  got 
real  problems  because  if  you  fail  to  set  up 
enrollment  properly,  the  machine  has  to  be 
put  into  recovery  mode.  If  the  user  never 
enrolled  with  the  management  console,  it 
can  be  even  trickier.” 

DO  check  for  interference  with 
other  applications.  Another  reason  for 
a  pilot  test  is  there  can  be  device-driver  or 

Market  Drivers 


BIOS  interference  between  the  encryption 
software  and  other  applications,  Girard 
warns.  “You  should  run  it  against  your 
standard  image,  as  well  as  potential  things 
you’ll  install  in  the  next  year,”  he  says. 

Conflicts  can  arise  between  encryption 
and  some  desktop  management  systems 
that  already  have  entries  in  the  boot  sec¬ 
tor  of  the  disk,  Maiwald  adds.  “You  can’t 
have  two  things  in  the  boot  sector  unless 
they  were  made  to  work  together,”  he  says, 
which  some  vendors  are  doing,  such  as 
GuardianEdge  and  Symantec.  “We  find 
problems  in  just  about  every  enterprise,  so 
the  best  advice  is  to  test  it.” 

DO  consider  your  authentication 
options.  Vendors  offer  different  user 
authentication  mechanisms,  including 
PINs,  passwords,  smart  cards  and  tokens, 
but  the  most  popular  is  the  password 
option.  While  it  might  seem  more  secure 


to  challenge  users  with  two  separate  pass¬ 
words— one  at  preboot  and  one  to  enter 
the  network  domain— many  organizations 
choose  the  single  sign-on  option. 

DO  consider  an  integrated  suite. 
When  Patterson  began  looking  for  an 
encryption  system,  his  search  was  two-fold, 
as  Raymond  James’  antivirus  software  con¬ 
tract  was  also  ending  and  he  wanted  to  try 
a  different  endpoint  firewall  than  what  was 
offered  via  Windows.  This  led  him  to  look 
for  products  in  which  these  functions  could 
all  be  managed  through  a  single  console. 
“Otherwise,  we’d  need  a  fleet  of  people  to 
run  these  systems,  and  no  single  picture  of 
what’s  happening  on  the  network,”  he  says. 

With  Utimaco,  Sophos  has  created  a  road 
map  to  integrate  encryption  with  a  broader 
security  suite,  Patterson  says.  McAfee  also 
offers  integrated  management  of  encryption 
with  other  endpoint  security  functions. 

Such  integration  will  help  ease  deploy¬ 
ment  of  these  various  security  functions, 
Patterson  says.  “If  we  tell  users  we’re  going 
to  put  another  agent  on  their  machine, 
we  have  to  jump  through  lots  of  hoops  to 
ensure  performance  won’t  go  down,”  he 
says.  “Adding  more  functionality  into  one 
product  set  is  very  attractive  as  far  as  sell¬ 
ing  it  to  both  management  and  end  users.” 

Stanton  Gatewood,  CISO  at  the  Uni¬ 
versity  System  of  Georgia,  on  the  other 
hand,  wanted  a  system  that  specialized  in 
encryption,  which  is  why  he  selected  PGP. 
“We  looked  at  others,  but  when  it  comes  to 
the  nuts  and  bolts  of  encryption  and  asking 
hard,  technical  questions,  their  answers 
weren’t  readily  available.  It  seemed  as 
though  encryption  was  an  add-on— that 
they  were  a  firewall  or  antivirus  company 
that  now  does  encryption.” 

DO  prepare  a  strong  business  case. 
Although  encryption  might  seem  a  no- 
brainer,  many  businesses  still  take  a  “wait 
and  see”  approach,  Lambert  says.  Convinc¬ 
ing  decision  makers  to  get  ahead  of  a  breach 
by  implementing  FDE  may  require  making 
a  strong  business  case.  Consider,  Girard 
says,  that  the  cost  to  mitigate  a  single  com¬ 
promised  data  record  is  comparable  to 
or  greater  than  the  seat  cost  of  an  encryp¬ 
tion  tool.  Furthermore,  he  says,  the  cost  to 
mitigate  a  large  number  of  breached  data 
records  is  always  larger  than  the  total  cost 
to  implement  encryption  for  all  mobile  plat¬ 
forms  in  a  company. 


nterestin  FDE  is  strong, 
with  revenues  exceed¬ 
ing  $1  billion  in  2008,  up 
from  $611  million  in  2007. 
A  big  reason  for  this  is  the 
increased  use  of  mobile  sys¬ 
tems  and  the  fear  of  expos¬ 
ing  sensitive  data  should 
these  devices  be  lost  or 
stolen.  More  states  are  creat¬ 
ing  data  breach  notification 
laws  that  require  companies 
to  publicly  disclose  the  loss 
of  sensitive  data  unless  it’s 
encrypted,  making  it  all  the 
more  attractive  to  automati¬ 
cally  encrypt  all  data  stored 
on  a  mobile  device’s  hard 
drive. 

“If  you  do  lose  data  and 
you  get  taken  to  court,  the 
first  question  from  the  judge 
or  attorney  is  whether  the 
data  was  encrypted,"  says 
Pat  Patterson,  enterprise 
security  architect  at  Ray¬ 
mond  James  Financial.  The 
financial  services  firm  is 
currently  deploying  Sophos’ 


Utimaco  software  on  15,000 
laptops. 

Encryption  is  becom¬ 
ing  such  a  must-have  that 
traditional  client  security 
vendors  such  as  McAfee 
and  Sophos  have  added 
encryption  to  their  portfolios 
through  acquisitions,  says 
Natalie  Lambert,  an  analyst 
at  Forrester  Research.  Enter¬ 
prises  are  also  finding  that 
single-sourcing  client  security 
has  both  operational  and 
financial  benefits,  she  says. 

Selection  Criteria 

According  to  a  presentation 
by  Eric  V.  Leighninger,  chief 
security  architect  at  Allstate 
Insurance,  which  is  publicly 
available  on  the  Web,  the 
following  were  the  selection 
criteria  he  used  when  choos¬ 
ing  an  FDE  system: 

■  Compliance  with  FIPS 
140-2,  a  U.S.  govern¬ 
ment  computer  security 
standard 


■  Strong  key  management 

■  Storage  of  encrypted 
keys  separate  from 
encrypted  data 

■  Controlled  views  to  key¬ 
ing  material  (separation 
of  duties) 

■  Key  recovery  (onsite, 
offsite  and  disaster 
recovery) 

■  Centralized  management 

■  Interoperability  with 
enterprise  software 

■  Support  for  removable 
media 

■  Low-performance 
degradation 

■  Fast,  robust  and  reliable 
initial  encryption 

■  Support  for  SMS 

■  Background  encryption 
processing  capability 

■  Fault  tolerance  (power 
outages  or  user  shutdown 
does  not  affect  encryp¬ 
tion  process) 

■  Support  for  suspend  and 
hibernation  states 

■  Mouse  support  -M.fi. 
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FDE:  Major  Players 


Not  that  costs  are  low.  While  prices  are 
dropping,  Girard  says,  expect  to  pay  over 
$100  retail  per  seat  for  up  to  250  seats  for 
a  fully  managed  and  audited  encryption 
product  with  support  for  removable  media. 
That  drops  to  less  than  $100  per  seat  in  the 
1,000-seat  range  and  below  $70  for  5,000 
seats  or  more,  he  says. 

You  can  get  it  for  less,  Ward  says.  The 
State  He  paid  about  $11.56  per  seat  instead 
of  the  $76  list  price  when  the  reseller  offered 
a  30-day  deal  of  85  percent  off. 

DO  consider  support  for  remov¬ 
able  media.  With  the  prevalence  of  USB 
media  drives,  more  attention  is  being  paid 
to  removable  media  encryption  and  device 
control,  Lambert  says.  Generally,  the  same 
vendors  that  offer  FDE  or  FES  also  offer 
encryption  for  removable  media,  she  says, 
and  in  some  cases,  such  as  Checkpoint, 
they  also  integrate  port  management,  con¬ 
tent  filtering,  centralized  auditing  and  man¬ 
agement  of  USB  port  storage  devices. 

Removable  media  encryption  was  one 
of  Patterson’s  evaluation  criteria.  Utimaco’s 
Data  Exchange  product  encrypts  one  file  at 
a  time  rather  than  the  entire  USB,  he  says, 
which  is  compatible  with  the  types  of  data 
users  store,  ranging  from  music  to  spread¬ 
sheets.  He  set  company  policy  to  encrypt 
anything  that  users  copy  over  from  their 
PCs,  with  password-based  authentication. 
This  does  require  thorough  training,  he 
says,  so  that  users  know  how  to  decrypt 


and  share  files  among  coworkers,  so  he’s 
phasing  it  in  slowly. 

Gatewood  says  PGP  enables  the  encryp¬ 
tion  administrators  to  plug  in  functionality 
to  encrypt  e-mail,  files  being  transferred 
and  removable  media,  down  the  road.  “We 
selected  a  system  that  will  grow,”  he  says. 

DO  look  into  the  vendor’s  method 
of  key  recovery.  Vendors  offer  vary¬ 
ing  approaches  to  key  recovery,  Maiwald 
says,  for  users  who  forget  their  password. 
These  range  from  self-service  portals  for 
password  reset,  to  help  desk  support  with 
a  challenge -response  mechanism  or  a  one¬ 
time  password  or  token  that  a  support  tech 
can  provide  over  the  phone.  “Look  for  an 
approach  that  nicely  meshes  with  your 
help  desk  procedures,”  he  says. 

DO  consider  Active  Directory  inte¬ 
gration.  Systems  that  integrate  with  Active 
Directory  simplify  management  exponen¬ 
tially,  users  say.  “When  a  machine  is  added 
to  the  Active  Directory  domain,  we  can  see 
it  in  the  console  and  move  encryption  keys 
around,”  Patterson  says.  “It’s  a  huge  help 
for  key  escrow.” 

Ward  says  AD  integration  enabled  him 
to  do  a  one-way  pull  to  populate  the  McA¬ 
fee  database,  saving  a  great  deal  of  time  and 
providing  assurance  that  the  database  was 
structured  correctly.  “It  was  important  that 
we  not  put  an  additional  burden  on  admin¬ 
istrators,”  he  says. 

DO  look  into  reporting  capabil¬ 


ity.  Ease  of  reporting  is 
another  key  selection  crite¬ 
ria,  Patterson  says,  to  prove 
laptops  are  encrypted, 
especially  when  one  goes 
missing.  Other  common 
reports  include  whether 
users  had  any  issues  with 
encryption,  whether  they 
called  the  help  desk  and 
whether  it  was  resolved, 
Gatewood  says. 

DO  check  on  which 
platforms  are  supported. 
There  are  far  fewer  Macin¬ 
tosh-based  encryption 
platforms  than  Windows, 
Lambert  says.  Gatewood’s 
choice  of  PGP  was  partly 
due  to  its  cross-platform 
support  of  many  versions 
of  Windows,  as  well  as  Mac 

DON’T  overlook  key  manage¬ 
ment.  Without  strong  key  management, 
Gatewood  says,  you’re  better  off  not  hav¬ 
ing  encryption  at  all.  This  is  what  enables 
you  to  restore,  revoke  and  manage  keys 
in  any  way.  Lack  of  a  strong  key  manage¬ 
ment  system  is  one  reason  he  bypassed  any 
of  the  open-source  systems  he  considered. 
PGP’s  Universal  Server,  on  the  other  hand, 
allows  him  to  not  only  manage  its  own  keys, 
but  also  keys  from  other  systems,  as  well. 
“Some  management  consoles  can  be  a  little 
kludgey,”  he  says.  You  should  also  be  able 
to  back  up  the  key  escrow  database. 

DO  consider  lock-out.  This  feature 
locks  the  machine  if  someone  hasn’t  logged 
on  to  the  network  for  a  certain  period  of  time, 
typically  several  weeks.  At  Connecticut, 
Ward  says  network-connected  machines 
ordinarily  check  in  five  or  six  times  a  day 
to  send  logs  to  the  encryption  server.  If  that 
doesn’t  happen  within  the  configured  lock¬ 
out  period,  the  machine  won’t  allow  the  user 
to  authenticate,  and  an  administrator  will 
need  to  unlock  the  machine.  “It  enforces 
discipline  so  that  you’re  getting  client  logs 
on  a  continual  basis,  and  the  machines  are 
constantly  updated  with  new  software  and 
any  changes  in  policy,”  Ward  says.  ■ 


Mary  Brandel  is  a  freelance  writer  based  out¬ 
side  Boston.  Send  feedback  to  Editor  Derek 
Slater  at  dslater@cxo.com. 


VENDOR 

SOLUTION 

FDE  / 
FES 

FEATURES 

Checkpoint 

Software 

Technologies 

Full  Disk 
and  Media 
Encryption 

FDE 

Formerly  part  of  the  Pointsec  portfolio.  Noted  for  ease  of  use.  One  of  the 
few  major  vendors  offering  FDE  support  for  the  Mac  OS. 

Credant 

Technologies 

Mobile  Guardian 

FES 

Provides  centrally  managed,  policy-based  security  for  a  broad  range 
of  mobile  devices.  Is  able  to  enforce  data  security  as  it  moves  between 
endpoints. 

GuardianEdge 

Technologies 

Data  Protection 
Platform 

FDE/ 

FES 

A  Symantec  partner.  Offers  FDE  for  PCs  and  FES  for  removable  storage 
and  mobile  devices.  Includes  device  control  capabilities  to  minimize  risk 
of  unauthorized  devices. 

McAfee 

Endpoint 

Encryption 

FDE/ 

FES 

Formerly  SafeBoot.  Adds  to  McAfee’s  efforts  at  building  a  full  line  of 
system  solutions  targeted  at  large  enterprise  users.  Supports  both 
encryption  types  for  a  variety  of  endpoint  devices. 

PGP 

Whole  Disk 
Encryption 

FDE 

Allows  users  to  immediately  deploy  specific  disk  encryption  solutions 
when  needed  and  add  other  capabilities  such  as  e-mail  protection  later. 

Sophos 

Utimaco 

SafeGuard 

FDE/ 

FES 

Recently  acquired  by  Sophos.  Offers  central  management  for  all 
encryption  solutions  delivered  down  to  PCs  and  mobile  devices.  Plans 

to  integrate  the  management  components  of  the  Sophos  and  lltimaco 
product  portfolios  to  meet  customer  demands  for  “single  pane  of  glass” 
management. 


FDE:  Full  disk  encryption  FES:  File/folder  encryption  system  Source:  Forrester  Research 
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Building  Security: 

7  Basic  Blunders 

From  bad  building  designs  to  management  that 
ignores  badge  rules,  Tim  Giles  runs  through  the  top 
building  security  mistakes  By  Joan  Goodchild 


YOU’VE  GOT  A  few  security  guards  and  your  CCTV  system  is  up 
to  snuff.  You’ve  got  your  building  security  covered,  right?  Think 
again.  While  many  organizations  are  taking  the  steps  to  ensure 
their  building  is  secure,  many  are  ignoring  basic  pieces  of  the  physi¬ 
cal  security  puzzle  in  and  around  a  facility. 

Tim  Giles,  a  security  consultant  and  author  of  How  to  Develop 
and  Implement  a  Security  Master  Plan,  was  once  in  charge  of  all  IBM 
security  operations  for  the  U.S.  and  Canada,  and  today  advises  cli¬ 
ents  on  how  to  design  a  security  plan  that  fits  the  risk  levels  and 
needs  of  their  buildings.  He  gave  CSO  a  rundown  of  some  common 
missteps  that  organizations  make  when  devising  a  plan  to  secure 
their  facilities. 

1  Creating  post  orders  without 
advanced  analysis 

“Most  companies  don’t  have  an  inside  person  with  facilities  security 
expertise,”  says  Giles.  “Often,  the  facilities  manager  will  put  together 
a  guard  services  contract  and  contract  services  with  a  company,  and 
they  really  have  very  limited  ideas  about  how  to  manage  it.” 

Giles  thinks  the  problem  is  that  an  outside  contract  company 
will  often  come  into  the  assignment  with  their  own  post  orders  and 
place  security  personnel  without  first  conducting  a  real  analysis 
of  the  security  needs  of  the  building.  And  because  there  isn’t  an 
experienced  person  within  the  company  that  understands  security, 
there  is  no  system  of  checks  to  ensure  the  contract  security  person¬ 
nel  are  doing  what  they  should  be  doing,  says  Giles.  Before  any  con¬ 
tract  security  services  firm  creates  post  orders  for  a  building,  they 
should  first  conduct  a  thorough  assessment  of  the  unique  needs  for 
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security  in  the  facility. 

“Buildings  differ  primarily  because  of  who  the  tenants  are,” 
says  Giles.  “Security  needs  to  evaluate  who  is  in  there  and  what 
kind  of  risks  they  bring  with  them.  Some  have  a  high-traffic  vol¬ 
ume  of  visitors.  They  could  be  controversial;  some  might  face  the 
possibility  of  problems  with  former  or  disgruntled  employees. 
All  of  those  things  dictate  what  security  should  be  doing  at  their 
posts.” 


2  Placing  aesthetics  over  security 

Giles  says  this  mistake  can  be  made  as  early  as  when  the 
building  is  designed  by  an  architect.  While  ground-level  lighting 
and  hidden  cameras  may  be  more  pleasing  to  the  eye,  neither  are 
good  for  security.  Giles  says  he  once  worked  in  a  building  where 
the  architect  had  designed  all  the  cameras  to  be  out  of  sight. 

“But  someone  seeing  the  camera  is  SO  percent  of  the  value 
because  it’s  a  deterrent,”  notes  Giles.  “When  people  know  they 
are  on  camera,  they  are  much  less  likely  to  do  something  wrong.” 

Another  common  design  Giles  sees  that  makes  him  cringe  is 
shrubbery  that  runs  along  walkways  and  sidewalks. 

“Suddenly  someone  who  wants  to  rob  someone  has  a  nice  hid¬ 
ing  place,”  he  says. 


3  Neglecting  to  properly  secure 
certain  entrances 

Giles  believes  in  the  rule  that  the  fewer  entrances  into  a  building, 
the  better. 

“Every  door  is  another  opportunity  for  someone  to  get  in,”  he 
says. 

While  it  is  important  to  have  several  doors  for  emergency 
exits,  Giles  says  they  all  too  often  get  neglected.  He  suggested 
installing  alarms  at  all  doors  that  have  been  designated  as  emer¬ 
gency.  Employees  should  also  be  asked  to  demand  identification 
or  badges  from  individuals  entering  a  secure  building,  he  says, 
and  notes  the  best  defense  against  intruders  is  a  good  security 
awareness  program  among  workers  that  gets  them  to  notice  what 
is  going  on  around  them. 
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Allowing  management  to 
ignore  security  rules 


Sure,  a  good  awareness  program  might  ask  employees  to  “check” 
on  one  another  to  ensure  they  are  wearing  badges  or  ID.  But  what 
if  management  is  neglecting  to  follow  the  rules?  Giles  says  it  is  a 
physical  security  mistake  he  sees  all  the  time. 

“I  tell  them,  You  have  to  make  a  choice.  If  you  are  going  to  have 
a  badge -wearing  program,  you  have  to  wear  the  badge.  If  you’re 
not  going  to  wear  one,  do  away  with  the  program  because  if  you 
don’t  wear  it,  you  undermine  the  program.” 


“Every  door  is  another 
opportunity  for 

someone  to  get 

in”  -Tim  Giles 


HIGH 

PROFILE 

Denise  Barndt,  director  of  global  security 
for  the  Bill  and  Melinda  Gates  Foundation, 
discusses  the  challenges  of  security  for  a  high- 
profile,  global  philanthropic  organization 

“What  i’ve  been  trying  to  drive  is  consistency  of  security  so 
that  our  staff  and  visitors  have  the  same  look  and  feel  of 
ubiquitous  and  unobtrusive  security  no  matter  where  they 
are  in  our  offices  throughout  the  world.  There  is  also  an 
understanding  that  each  office  has  local  conditions  they 
we  need  to  be  respectful  of  as  well. 

“We  have  design  and  technical  standards  for  all  of  our 
offices.  Each  has  a  security  design  that  is  similar  to  ours  here 
at  headquarters  in  Seattle.  It’s  the  same  envelope  at  every 
building.  That  includes  access  control,  CCTV,  a  reception  func¬ 
tion,  a  guest  management  function. 

On  global  monitoring  and  incident  response:  “With 
the  growth  in  the  number  of  locations  to  monitor  in  our 
Global  Security  Operations  Center,  we  looked  to  various 
technologies  to  help  us  manage  the  volume  of  information 
coming  in  to  our  operators.  We  are  in  the  process  of  imple¬ 
menting  a  new  video  and  situation  management  system 
from  VidSys.  This  will  allow  us  to  leverage  video  analytics, 
correlate  what  may  seem  to  be  disparate  events  into  a  single 
response  plan  and  aid  in  forensic  and  audit  capacity.” 

The  application  will:  “provide  a  single  user  interface 
for  managing  situations,  monitoring  access  control,  intrusion 
detection,  video  and  communication  systems;  improve  oper¬ 
ational  efficiency  and  accuracy;  increase  our  ability  to  direct 


Failing  to  take  time  to 
understand  your  technology 


Physical  security  technology,  such  as  CCTV,  has  come  a  long 
way  in  the  last  decade,  notes  Giles.  The  problem  is  many  people 
don’t  know  how  to  use  it.  Often  Giles  says  a  good  video  recording 
system  will  be  for  naught  because  if  there  is  an  incident,  the  staff 
doesn’t  know  how  to  find  the  recording  they  need. 

“Companies  will  have  a  contractor  come  in  an  install  the  cam¬ 
eras,  and  then  there  is  no  follow-up  to  learn  how  to  really  use  it.” 

Giles  says  another  common  scenario  is  a  building  with  40  or 
more  cameras  around  the  facility  that  use  a  multiplexer  to  toggle 
between  cameras  and  record  images.  But  the  switching  is  done  at 
random  and  is  therefore  of  little  use. 

“If  you  don’t  set  that  up  properly,  you  might  have  a  situation 
where  a  person  is  breaking  in  a  door  but  you  don’t  capture  the 
event  because  the  recorder  was  not  on  the  door  at  that  time.” 
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and  control  how  and  where  we  display  video; 
and  fully  integrate  this  project  with  the  design, 
requirements  definition,  systems  selection, 
device  selection,  construction  and  operational 
planning  for  the  new  campus. 

“This  is  a  paradigm  shift  for  our  operators  as  we  move 
from  a  barrage  of  information  to  a  filtered  and  focused 
view.  The  build  of  the  rules  and  action  plans  to  support 
the  system  is  a  large  body  of  work,  as  well  as  the  busi¬ 
ness  readiness  preparation  for  changing  the  operational 
model.  The  exercise  has  provided  us  with  the  opportu¬ 
nity  to  do  a  systemic  evaluation  of  our  existing  systems, 
conventions,  standard  operating  procedures  and  post 
orders.” 

On  the  new  headquarters:  “We  are  under  con¬ 
struction  for  a  new  headquarters-a  global  showcase  and 
meeting  area  for  the  voice  Bill  and  Melinda  want  to  have 


for  the  issues  they  care  deeply  about:  global 
health,  global  development  and  U.5.  educa¬ 
tion.  So  we  are  building  a  250,000-square- 
foot  office,  meeting  area,  outreach  center, 
education  facility  and  visitor  center. 

“While  traditionally  we  have  looked  like 
every  other  building,  we  are  now  going  from 
a  very  low-profile  physical  footprint  to  a  bold 
statement.  We  are  in  leased  space  now.  So  we 
are  going  to  go  from  tenant  to  owner,  and  to  a 
very  large  complex  that  will  be  making  a  very 
big  statement  about  the  work  that  we  do.  It’s  a 
very  green  building  and  it’s  in  the  center  of  the 
city,  so  our  neighbor  is  the  Space  Needle. 

“One  might  think  because  it’s  the  Gates 
Foundation  and  because  of  the  philanthropy 
and  the  work  we  do,  everyone  would  love  us. 
But  like  every  company  and  every  govern¬ 
ment,  there  are  certainly  detractors.  For  us, 
it’s  a  balance  of  the  boldness  of  the  work  we 
are  trying  to  do  and  knowing  that  some  of  our 
work  can  be  controversial.  A  lot  of  people  ask, 
‘Why  would  you  have  security  concerns?  You 
are  giving  money  away  and  trying  to  solve 
some  of  the  world’s  toughest  problems.’  But 
when  you  consider  they  are  some  of  the  world’s  toughest 
problems,  that  is  why  we  have  security  concerns.” 

On  protestors  and  demonstrators:  This  is  the  joy 
of  living  in  America.  This  is  a  country  where  you  can  do 
that.  So  how  do  we  allow  our  work  to  continue  and  allow 
that  public  commentary  as  it’s  appropriate  and  legal  to 
happen  as  well? 

“We’ve  designed  the  building  working  with  architects 
and  working  with  the  community  and  the  city.  It  is  much 
like  a  federal  courthouse  where  we  were  looking  at  how 
they  allow  that  kind  of  public  gathering  and  also  make 
sure  it  can  be  done  in  an  appropriate  manner.  -J.G. 


Ongoing  construction  of 
the  new  headquarters  for 
the  Bill  and  Melinda  Gates 
Foundation  in  Seattle. 
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Giles  recommends  that  monitoring  systems  be  configured  to 
have  event-driven  recording,  which  means  a  camera  is  activated 
wherever  an  alarm  goes  off  or,  for  sensitive  areas,  when  motion 
is  detected. 

Failing  to  secure  important 
rooms  inside  the  building 

“We  used  to  have  people  working  the  server  room  all  the  time  [in 
organizations],”  says  Giles.  “But  now  they  can  control  what  is 
going  on  in  there  remotely.  So  if  someone  is  going  in  and  out  of 
there,  you  really  want  to  know  who  it  is  and  why  they  are  there.” 

Giles  recommends  adding  access  control  systems  around  data 
centers  that  include  badges  or  access  cards  as  well  as  cameras.  He 
also  advises  clients  who  have  concerns  about  proprietary  infor¬ 
mation  to  secure  their  mail  rooms  as  well. 


Overdoing  security 

Lastly,  it’s  important  to  remember  that  these  tips  are  not  a 
one-size-fits-all  prescription  for  your  building’s  security,  says 
Giles.  The  level  of  facility  security  will  need  to  fit  the  level  of  risk 
an  organization  faces. 

“I’m  opposed  to  going  into  a  facility  and  having  them  do  as 
much  security  as  they  can  do,”  he  says.  “If  you  overdo  it  to  where 
it  doesn’t  make  sense,  within  six  months  people  will  have  figured 
out  ways  to  get  around  security  and  it  will  be  a  waste  of  money.  It 
has  to  match  the  risk  and  culture  of  the  business.” 

It’s  impossible  to  come  up  with  a  formula  that  says  an  orga¬ 
nization  needs  specific  elements  in  their  building  security  plan 
because  there  are  too  many  variables,  Giles  notes.  Consider  your 
environment  and  invest  appropriately,  he  says.  ■ 


Reach  Senior  Editor  Joan  Goodchild  tftjgoodchild@cxo.com 
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1!  HE  INSIDER  THREAT,  the  bane 

of  computer  security  and  a  topic  of 
worried  conversation  among  CSOs,  is 
undergoing  significant  change.  Over  the 
years,  the  majority  of  insider  threats  have 
carried  out  attacks  in  order  to  line  their 
pockets,  punish  their  colleagues,  spy  for 
the  enemy  or  wreak  havoc  from  within.  Today’s 
insider  threats  may  have  something  much  less 
insidious  in  mind— multitasking  and  social  net¬ 
working  to  get  their  jobs  done. 

There’s  a  growing  risk  within  most  organiza¬ 
tions  today  that  is  clearly  an  insider  threat  but  is 
also  clearly  not  caused  by  a  disgruntled  or  disil¬ 
lusioned  employee.  In  fact,  the  new  insider  threat 
is  more  likely  to  manifest  itself  as  a  gung-ho  new 
employee  or  contractor.  And  more  often  than  not, 
the  new  insider  threat  is  a  recently  hired  twenty¬ 
something. 

We’ve  coined  the  term  “lifestyle  hacker”  to  refer 
to  this  new  cadre  of  insider  threats.  The  lifestyle 
hacker  does  not  have  malicious  intent.  Neverthe¬ 
less,  the  lifestyle  hacker  is  highly  successful  at 

Why  twenty-somethings 
skateboard  right  past 
security  controls 

By  Jim  Routh  and 
Gary  McGraw 
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skirting  various  corporate  controls  put  in  place  to  protect  security- 
related  websites  and  critical  endpoints.  The  most  interesting  and 
ironic  aspect  of  the  lifestyle  hacker  is  that  he  is  motivated  by  the 
pursuit  of  productivity,  often  the  very  same  motivation  driving  the 
implementation  of  various  corporate  controls  (including  but  not 
limited  to  Web  proxies,  DLP  solutions,  firewalls,  etc.). 

Tightly  managed  organizations  (especially  huge  financial  cor¬ 
porations)  often  block  access  to  Web  2.0  capabilities  in  order  to 
“promote  productivity  of  staff.”  However,  this  very  same  staff  often 
desires  to  utilize  Web  2.0  capabilities  (including  social  network¬ 
ing,  external  IM,  Skype,  Twitter,  etc.)  in  the  name  of  enhancing 
personal  productivity.  And  never  the  twain  shall  meet! 

This  conundrum  exists  as  the  inherent  conflict  between  those 
who  make  the  rules  and  those  who  break  the  rules,  both  of  whom 
are  driven  by  the  exact  same  motivation— being  more  productive 
in  the  work  environment.  There  are  two  fascinating  and  problem¬ 
atic  aspects  of  this  situation  worth  mentioning: 

1.  The  population  of  lifestyle  hackers  is  growing  in  size  and 
diversity  as  demographics  of  new  hires  shift  toward  those  people 
who  grew  up  on  the  Internet. 


II  he  average  Net  Gen’er,  by  the  age  of 

of  video  games,  200,000 e-mails,  20, 
phone  conversation  and  less  than  5,0 


2.  Neither  the  corporate  decision  makers  who  make  the  rules 
nor  the  lifestyle  hackers  understand  the  security  ramifications 
of  emerging  and  evolving  Web  2.0  capabilities  (see  McGraw’s 
article  “Twitter  Security”  at  www.informit.com/articles/article. 
aspx?p=l350268). 

To  get  a  handle  on  the  growth  of  the  lifestyle  hacking  problem, 
consider  this:  One  Wall  Street  firm  we’re  both  very  familiar  with 
estimated  that  45  percent  of  all  security  incidents  in  the  past  two 
years  were  lifestyle  hacks.  A  quick  look  at  demographics  reveals 
what’s  going  on.  The  root  of  the  problem  is  that  newly  minted  staff 
members  being  hired  today  were  generally  born  in  the  late  ’80s; 
their  managers  and  rule-imposers  are  of  the  Baby  Boom  genera¬ 
tion  (bom  between  1947  and  1961).  Baby  Boomers  were  brought  up 
with  television  as  the  dominant  household  technology,  while  the 
Net  Generation  (as  Don  Tapscott  calls  them  in  Growing  Up  Digital) 
was  exposed  to  the  Internet  as  early  as  they  can  remember  (and 
some  even  earlier  than  that).  Television  is  a  mostly  passive  broad¬ 
cast  medium.  By  contrast,  the  Internet  promotes  widespread  col¬ 
laboration.  This  difference  engenders  significant  divergence  in 
behavior  for  the  two  generations.  Baby  Boomers  focus  on  a  single 
task  when  under  pressure,  while  the  Net  Generation  prefers 
multitasking. 

Baby  Boomers  don’t  even  like  listening  to  music  while  they 
work.  Net  Gen’ers  listen  to  music  (sometimes  even  watching  music 


videos)  while  browsing  a  website  or  six,  instant-messaging  with 
whoever  is  around,  sending  text  messages  and  pecking  at  a  Micro¬ 
soft  Office  file.  The  University  of  Oregon  Library  published  a  study 
that  showed  that  the  average  Net  Gen’er,  by  the  age  of  21,  has  been 
exposed  to: 

■  10,000  hours  of  video  games 

■  200,000  e-mails 

■  20,000  hours  of  TV 

■  10,000  hours  of  cell  phone  conversation 

■  Less  than  5,000  hours  reading  books 

Some  demographers  bifurcate  the  Net  Generation  into  Genera¬ 
tion  X  and  Y,  but  for  the  purposes  of  understanding  the  lifestyle 
hacker,  Net  Gen  says  it  all.  As  Internet-facing  technology  became 
ubiquitous  and  leaped  from  the  home  to  the  mobile  device,  the  Net 
Generation  adapted  by  incorporating  new  technology  into  its  very 
social  fabric.  The  Net  Generation  prefers  SMS  texting  and  using 
instant  messaging  in  many  social  situations.  (Organizing  a  par¬ 
ticular  time  and  place  to  meet  is  rather  silly  if  the  people  doing  the 
meeting  all  have  cell  phones  and  a  vague  plan.) 

Utilizing  a  texting  system  as  an  essential  productivity  tool  in 
a  professional  environment  is  a  natural  extension  of  normal  Net 
Gen  social  behavior.  The  same  can  be  said  for  social  networks  such 
as  Facebook,  which  offer  excellent  tools  for  collaborating  on  com¬ 
plex  problem  solving  and  building  effective  relationships. 
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Unfortunately,  many  Baby  Boomers  have  never  used  Web  2.0 
tools  at  work.  Such  tools  simply  did  not  exist  when  they  entered 
the  work  force.  As  a  result,  they  often  view  such  tools  as  distrac¬ 
tions  from  doing  “real”  work. 

One  high-tech  firm  did  a  study  on  the  primary  reason  for 
undergraduate  offer  rejections  by  prospective  new  hires  and  dis¬ 
covered  that  the  number-one  reason  for  rejection  was  that  access 
to  Facebook  was  blocked.  The  firm  now  offers  access  to  Face- 
book.  Along  the  same  lines,  but  without  a  solution  to  the  problem, 
FS-ISAC  survey  results  from  April  2009  indicated  that  over  90 
percent  of  financial  service  firms  block  access  to  social  network¬ 
ing  sites.  The  number-one  reason  for  blocking  access  is  a  concern 
over  productivity,  not  security.  Ninety-five  percent  of  the  firms 
responding  to  the  survey  have  no  plans  to  change  policies  to  allow 
access  to  social  networking  sites.  You  can  see  the  storm  clouds 
gathering. 

To  restate  the  conundrum,  leaders  believe  that  social  network¬ 
ing,  instant  messaging  and  using  SMS  constantly  in  the  work 
environment  will  lead  to  lower  overall  productivity,  so  they  block 
access.  Net  Gen’ers  believe  that  Web  2.0  technologies  are  essen- 


As  it  turns  out,  Dylan  was  also  modifying  a  sensitive  risk  report 
at  the  same  time.  When  Dylan’s  boss  was  told  what  was  going  on, 
Dylan  was  asked  to  leave  the  firm.  His  boss  was  disappointed, 
since  Dylan  was  one  of  her  most  productive  employees. 

Note  that  Dylan  was  not  malicious  and  in  fact  did  not  intend  to 
break  established  policies  and  federal  laws.  His  actions  were  moti¬ 
vated  purely  by  his  desire  to  multitask,  unfettered  by  the  standard 
controls  that  all  other  employees  had  to  live  with. 

The  question  is,  how  many  “Dylans”  work  in  your  organiza¬ 
tion?  And  what  are  you  to  do  if  you’re  the  CSO  trying  to  safeguard 
your  firm  while  also  enabling  business  growth?  As  usual  for 
computer  security,  there  are  no  easy  answers  here,  just  as  there 
are  no  simple  Web  2.0  technology  controls  ready  for  prime-time 
implementation. 

Upon  reflection,  we  believe  the  most  important  thing  to  do 
is  to  educate  staff  about  the  security  and  brand  risks  associated 
with  unfettered  use  of  Web  2.0  capabilities  while  exploring  ways 
to  offer  tools  with  collaborative  capabilities  with  a  level  of  control 
that  the  organization  can  manage  effectively. 

This  solution  is  likely  to  necessitate  updating  your  security 
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tial  for  collaboration  and  relationship  management  and  that  they 
improve  productivity.  Impasse. 

Enter  the  lifestyle  hacker.  To  sidestep  the  impasse,  a  grow¬ 
ing  number  of  Net  Gen’ers  are  using  their  technical  savvy  to  find 
creative  ways  of  bypassing  controls  so  they  can  leverage  Web  2.0 
capabilities.  Perhaps  an  example  can  make  this  clear. 

Dylan  (not  his  real  name)  was  an  intern  working  in  the  technol¬ 
ogy  department  doing  server  administration  for  two  years  while 
he  completed  graduate  school.  He  then  applied  for  and  was  hired 
as  an  analyst  working  in  the  operational  risk  department.  Dylan 
established  himself  as  an  effective  contributor  to  the  department 
over  a  period  of  six  months. 

One  day,  the  corporate  security  staff  noticed  a  spike  in  net¬ 
work  traffic  coming  from  Dylan’s  workstation.  The  large  volume 
of  data  transfer  indicated  the  possibility  of  a  security  breach  in 
which  company  information  was  being  shoveled  off  to  an  outside 
party.  The  security  staff  initiated  an  investigation.  They  eventu¬ 
ally  approached  Dylan  and  completed  a  forensic  analysis  of  his 
computer.  What  they  uncovered  was  that  Dylan  had  constructed 
a  secure  tunnel  by  exploiting  a  vulnerability  in  the  company’s  Web 
proxy,  and  he  was  connecting  his  workstation  to  his  ISP  at  home. 
This  allowed  Dylan  to  watch  pirated  movies  running  on  his  home 
PC  while  he  was  streaming  music  from  sites  no  longer  filtered  by 
the  proxy. 


policies  as  well  as  communications  and  marketing  policies  gov¬ 
erning  publication  of  the  firm’s  information.  In  addition,  the  firm’s 
IT  strategy  should  clearly  define  a  road  map  for  Web  2.0  imple¬ 
mentation  over  time  that  provides  for  increased  collaboration 
outside  the  firm. 

The  right  approach  for  each  organization  must,  of  course,  be 
driven  by  its  respective  business  model,  since  business  and  secu¬ 
rity  risks  always  differ.  The  good  news  is  that  the  problem  of  the 
lifestyle  hacker  provides  a  clear  opportunity  for  innovative  leader¬ 
ship  by  the  CIO  and  the  CSO. 

What  is  clear  is  that  the  technology  frontier  has  moved  well 
beyond  the  workstation  to  an  increasing  constellation  of  mobile 
devices  and  distributed  software  (some  of  it  already  in  the  cloud). 
As  more  processing  capability  emerges  in  PDAs,  there  will  be  no 
avoiding  them  or  their  distributed  software  as  a  work  platform. 
Collaborative  technology  is  here  to  stay. 

Solving  the  Net  Gen  productivity  problem  in  order  to  avoid 
lifestyle  hacking  is  thus  a  critical  aspect  of  the  CSO’s  job.  Finding 
the  right  balance  for  your  organization  will  require  innovation, 
education  and,  most  importantly,  courage.  We  certainly  can’t  hold 
back  Web  2.0  in  the  name  of  security!  At  least  not  for  long.  ■ 


Gary  McGraw  is  chief  technology  officer  at  Cigital.  Jim  Routh  is  CISO 
ofKPMG. 


October  2009  www.csoonline.com  29 


[  undercover] 

By  Anonymous 


The  Many  Challenges  of  Finding 
Work  as  a  CISO/CSO 

An  IT  pro’s  personal  tale  of  a  long  and  bloody  job  hunt 


We  can  blame  it  all  on  this 
dastardly  economy,  but 
even  in  good  periods, 
qualified  individuals 
find  it  difficult  to  land  a 

job  as  an  executive. 

Just  recently,  I  applied  for  a  job  as  a 
director  of  information  security.  The  posi¬ 
tion  reported  directly  to  the  company’s 
hiring  manager  (CIO).  It  was  widely  adver¬ 
tised  at  the  company  so  many  of 
my  friends  and  colleagues  knew 
who  the  hiring  manager  was.  I 
had  already  contacted  the  CIO 
directly— and  had  subsequently 
been  introduced  to  him  and  rec¬ 
ommended  by  other  CIOs  who 
knew  him  well,  so  the  hiring 
manager  immediately  e-mailed 
me  to  say  to  contact  the  HR  direc¬ 
tor  for  an  initial  phone  inter¬ 
view  and  to  call  him  later  that 
same  day.  Both  interviews  went 
extremely  well,  with  conversa¬ 
tions  lasting  well  over  an  hour. 

We  covered  their  challenges  that 
I  could  address  and  gravitated 
to  small  talk  on  our  past  experi¬ 
ences.  We  clicked  and  had  a  long, 
enjoyable  conversations.  The  CIO 
said  he  would  bring  me  in  for  a 
face-to-face  meeting  the  follow¬ 
ing  week  once  he  had  a  chance  to  interview 
other  candidates. 

Deep  down  I  was  overly  cautious,  hav¬ 
ing  been  burned  in  the  past,  as  I  explained 
to  another  candidate  who  had  applied.  I 
said,  “It  would  appear  to  you  I’m  a  natu¬ 
ral  shoe-in  or  on  the  CIO’s  short  list  by 
knowing  so  many  people  and  from  the 
work  I  do.  But  it  is  getting  to  the  point  that 
it  no  longer  matters  who  and  what  you 


know,  not  even  if  you’re  a  close  friend  of  the 
hiring  manager.” 

Being  well-known  in  the  industry  and 
the  local  IT  community,  I  knew  who  these 
other  candidates  were,  and  we  shared  much 
information.  It  is  a  small  world. 

In  the  weeks  that  passed,  I  sent  the  CIO 
two  follow-up  e-mails,  I  also  e-mailed  the 
HR  director  in  California.  All  three  were 
met  with  silence.  I  also  left  the  CIO  two 


voice  mail  messages— one  on  his  office  line, 
the  other  on  his  personal  cell  phone— and 
neither  was  returned.  After  three  weeks,  I 
received  a  phone  call  from  the  HR  director 
telling  me  the  CIO  was  unsure  about  the 
position.  He  was  contemplating  dimin¬ 
ishing  the  role  to  a  lesser  grade  and  I  was, 
of  course,  overqualified,  and  so  were  the 
other  candidates. 

The  HR  person  did  offer  to  help  me  net¬ 


work.  He  was  just  as  puzzled  as  I  was,  and  I 
explained  what  many  information  security 
executives  go  through.  Through  subse¬ 
quent  conversations  with  the  other  candi¬ 
dates,  I  learned  that  the  CIO  hired  someone 
in  an  engineering  role. 

I  was  not  surprised.  This  has  happened 
to  me  on  countless  occasions,  as  it  has  with 
many  others  across  the  country. 

Here  are  some  of  the  problems  we  job 
seekers  are  up  against. 

Corporate 
Russian  Roulette 

Is  it  the  current  economy  that 
forces  companies  to  ask  employ¬ 
ees  to  do  more  for  less?  Is  it  the 
misconception  that  companies 
don’t  really  know  or  understand 
the  enormous  value  that  the  CISO/ 
CSO  can  bring  to  the  table?  I  have 
notes  recorded  in  a  vast  database 
where  I  keep  track  and  document 
every  detail  of  every  job.  It  is  an 
aggregator  of  executive-level  jobs 
posted  across  the  country  that 
I  and  others  have  applied  for.  It 
includes  the  job  descriptions, 
contact  information,  conversa¬ 
tions,  e-mail  correspondence 
and  communications  with  other 
candidates  who  applied.  Interest¬ 
ing  enough,  a  pattern  is  emerging  where  a 
director’s  job  or  even  that  of  a  CISO/CSO  is 
diminished  abruptly  to  that  of  an  analyst/ 
engineer  role,  or  the  job  is  placed  on  indefi¬ 
nite  hold. 

This  characteristic  pattern  is  directly 
responsible  for  the  myriad  security  breaches 
happening  at  many  organizations. 

I  embarked  on  trying  to  find  out  why 
this  is  happening,  why  so  many  qualified 
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individuals  struggle  to  find  employment 
as  an  executive  in  information  security, 
only  to  experience  the  same  frustrations 
I’ve  experienced. 

Knowing  many  CIOs  and  other  execu¬ 
tives— many  of  them  good  friends— I  have 
asked  them  for  insights  about  my  recent 
experience.  They  responded  that  CIOs 
are  under  heavy  pressure  to  do  more  with 
less  and  get  twice  as  much  done.  More¬ 
over,  businesses  are  also  under  a  lot  of 
pressure  these  days,  and  directors’  roles 
may  have  been  diminished  for  political  or 
other  reasons. 

Then  why  is  it  that  when  a  serious 
breach  occurs,  the  executives  panic  and 
find  the  budget  to  spend  extraordinary 
amounts  of  money  to  remediate  the  breach? 
Why  is  it  that  they  seem  to  degrade  a  vital 
component  in  any  business— the  security 
of  their  data?  Don’t  they  know  that  one 
serious  breach  can  jeopardize  the  exis¬ 
tence  of  their  business  and  perhaps  lead 
to  criminal  investigations?  Why  is  it  that 
many  organizations  just  have  one  security 
executive  with  no  staff  and  hardly  any  bud¬ 
get  to  work  with  as  just  a  figurehead  in  the 
organization?  Several  states  and  the  fed¬ 
eral  government,  have  enacted  or  are  now 
enacting  tough  laws,  some  of  which  carry 
severe  penalties  should  a  serious  breach 
occur,  including  requirements  of  complete 
public  disclosure  to  all  the  victims  associ¬ 
ated  with  the  breach. 

Never  mind  the  mountains  of  lawsuits 
that  can  put  a  company  out  of  business. 
This  is  what’s  going  on— many  companies 
are  revolting,  but  the  laws  are  being  enacted, 
and  ignorance  is  not  bliss.  Doing  more  for 
less  is  not  the  answer.  It  is  not  good  busi¬ 
ness  to  put  an  organization’s  assets  at  risk— 
particularly  in  this  economy  where  security 
staffs  are  depleted  and  not  valued.  This  is 
not  an  area  where  businesses  should  be 
doing  more  with  less.  They  should  be  doing 
the  opposite  to  ensure  their  survival. 

At  the  federal  level,  top  information 
security  specialists  have  been  saying  for 
years  that  our  current  infrastructure  is 
at  grave  risk.  Serious  breaches  have  since 
occurred,  and  the  government  is  now 
scrambling.  Most  of  the  agencies  have  been 
mobilized,  and  at  least  four  of  the  national 
laboratories  are  in  an  all-out  effort  to  com¬ 
bat  breaches  and  prevent  future  ones.  Bil¬ 
lions  of  dollars  were  budgeted  to  upgrade 


and  secure  the  nation’s  infrastructure,  and 
why  was  this?  Because  the  same  pattern 
keeps  repeating  itself.  Security  is  ignored 
or  pushed  lower  in  priority  until  a  crisis 
erupts  and  then  there  is  a  scramble  to  cor¬ 
rect  the  problem. 

The  federal  government  is  now  hir¬ 
ing  information  security  specialists,  but 
mostly  in  engineering  or  analytical  roles. 
Few,  if  any,  management  roles  are  being 
developed— a  serious  oversight,  because 


experienced  leadership  is  needed  badly. 

Another  problem  the  federal  govern¬ 
ment  has  is  the  requirement  that  job  can¬ 
didates  have  an  active  security  clearance 
necessary  to  even  be  considered  for  oppor¬ 
tunities.  This  is  the  case  at  many  of  the 
primary  contractor  and  subcontrac¬ 
tor  vendors,  and  they  often  hesitate  to 
sponsor  qualified  individuals  who  can 
obtain  clearance. 

Clearances  don’t  just  appear  out  of  thin 
air.  The  federal  government  must  instruct 
the  vendors  to  sponsor  employees  to  apply 
for  clearance.  Understandably,  the  process 
of  getting  a  clearance  is  time-consuming 
and  heavily  intrudes  upon  an  individual’s 
privacy,  and  not  everyone  is  clearable.  It 
is  expensive,  yet  this  investment  must 
be  made  to  bring  qualified  individuals 
on  board  to  secure  the  infrastructure  of 
our  nation. 

The  Problem  of  Relocation 

The  current  economic  climate  makes  it  dif¬ 
ficult  for  information  security  executives 
to  find  work  and  difficult  for  them  to  relo¬ 
cate  when  many  companies  are  not  offer¬ 
ing  assistance.  It  is  also  difficult  for  many 
companies  to  find  qualified  candidates, 
since  everyone  seems  trapped  even  if  they 
are  offered  relocation  assistance.  In  an 
informal  roundtable  discussion  in  Silicon 
Valley  I  was  invited  to,  several  interesting 
discussions  took  place  with  some  of  the 


companies  in  attendance.  What  was  evi¬ 
dent  was  the  inability  of  top  candidates  to 
relocate  to  where  the  demand  for  the  jobs 
are.  The  fundamental  reason  is  econom¬ 
ics:  People  are  trapped  because  relocation 
assistance  might  not  be  available  or 
because  it’s  not  enough  to  cover  the  costs 
of  relocation. 

People  are  having  difficulty  selling 
their  homes,  the  cost  of  living  is  high  and 
carrying  two  mortgages  can  be  unrealistic. 


Housing  is  problematic  and  is  preventing 
companies  from  attracting  top  talent  from 
other  parts  of  the  country.  The  pressure  is 
on  for  companies  to  come  up  with  innova¬ 
tive  ways  to  accommodate  this  hardship- 
subsidizing  an  apartment  for  up  to  a  year 
to  give  people  time  to  sell  their  homes,  or 
paying  commuting  expenses  until  they  can 
purchase  their  homes  would  be  a  start.  But 
very  few  companies  do  the  latter,  and  they 
only  offer  relocation  assistance  for  cer¬ 
tain  strategic  positions  or  key  employees. 
The  expense  is  understandably  substan¬ 
tial  if  they  cannot  find  local  talent  to  fill 
strategic  positions. 

Conclusion 

These  are  tough  times  never  seen  before  by 
any  of  us.  Some  of  the  executives  I’ve  spo¬ 
ken  to  shared  stories  of  desperation,  some 
of  them  have  lost  what  they  had  worked 
most  of  their  lives  to  achieve  or  had  their 
roles  seriously  diminished. 

Yet  I  do  see  a  vision  of  the  security  exec¬ 
utive  playing  an  integral  part  in  supporting 
the  business  and  adding  tremendous  value 
to  organizations  of  all  sizes.  These  mind-set 
changes  have  occurred  in  a  number  of  orga¬ 
nizations.  They’ve  discovered  that  security 
executives  bring  in  enormous  value  and 
business  leadership.  ■ 


Send  feedback  to  Senior  Editor  Bill  Brenner  at 
bbrenner@cxo.com. 


After  three  weeks  I  received  a  phone  call  from 
the  HR  director  telling  me  the  CIO  was  unsure 
about  the  position,  that  he  was  contemplating 
diminishing  the  role  to  a  lesser  grade  and  I 

was  of  course  overqualified. 
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A  Helpful  Worksheet 
for  Determining 
Regulatory 
Compliance  Costs 


PREPARATION; 

Choose  a  large  but  otherwise  arbitrary  num5er 

SSSsssr  ' 

poor).  ’  S'ngascafeoflfpoor)to50ess 

CALCULATION: 

of  compSthgd^  ^tal  number 

every  cus Sir  credit!  ^  14 10 16  di8its  of 
alsnrtnHash  that  numeric%Zaber  m  keeP 
sequence. 

CONCLUSION: 

7  Forget  lines  2  and  3. 

Discard  line  6  (that  was  busywor/t). 

'^&oZL^0thtnbyfSMo 
amount.  audltorf°rthe  resulting 

10-  Congratulations-you're  done! 
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1  User  enters  username  and  password. 
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Get  the  strong  two-factor  security  you  need 
to  protect  against  today’s  sophisticated 
threats  without  the  hassle  and  cost  of 
yesterday’s  technology. 

•  Easy  to  Setup,  Manage,  and  Use 

•  Strong  Out-of-Band  Authentication 

•  Rapid  Regulatory  Compliance 

•  Far  Less  Expensive  Than  Tokens 


2  Instantly,  user  receives  a  call,  simply  answers 
and  presses  #  (or  a  PIN  ]  to  complete  the  login. 
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www.phonefactor.com  |  1.877.NoToken 


